How HIPAA Enforcement Protocols May Be Changing Soon

When it comes to protecting private medical information, proper HIPAA enforcement is of paramount importance.

With the change of hands in power, this enforcement may be changing as well. Learn what this could mean here.

How We Got Here

Since the HITECH Act was passed in 2009, HIPAA enforcement has seen dramatic change.

At the time of HITECH’s passing, the Department of Health and Human Services’ Office of Civil Rights (OCR) became responsible for HIPAA enforcement.

The passage of the Omnibus Rule in 2013 made further changes and put considerable strength into the ability of OCR to enforce a more stringent rule set.

The widespread noncompliance found launched a continuous period of settlements, right up to the final days of the Obama administration.

HIPAA Enforcement Through Today

The OCR currently enforces the Privacy and Security rules by:

  1. Investigating complaints
  2. Enacting and overseeing compliance reviews to determine whether or not covered entities (CE) are in breach of compliance (also known as audits)
  3. Conducting education and outreach programs for CEs to learn more about and understand HIPAA’s requirements
  4. Working with the Department of Justice to investigate possible criminal breaches and violations of HIPAA

The Data Breach Crisis

Data breaches in healthcare are costing the industry upwards of $6.2 billion.

With evolving cyber attack threats, a decline in these costs seems unlikely.

According to the Breach Barometer from Protenus, 2016 saw a record high number of data breaches.

The need for greater resources and attention to HIPAA compliance is undeniable, but the Protenus study shows little change in the budgets allocated to deal with these breaches.

What Is The Threat?

Criminal attacks continue to close the gap on the largest threat, workforce behavior

And with cyber threats (including malware, ransomware, and denial of service attacks) on the rise, that isn’t expected to change.

That being said, it is time for healthcare organizations to pay attention.

Every hospital and healthcare provider needs to assess its risk and protect itself against unexpected cyber security attacks.

CEs need to consider how they can better the protection of patient health information and how they can reduce access to information at high risk for theft, such as social security numbers and financial information..

Recent criminal HIPAA prosecutions resulting in multi-year prison sentences should have healthcare providers and employees on red alert.

How the New Administration Will Affect HIPAA Enforcement

Under the new administration, there is a critical attitude towards what they describe as burdensome regulations on healthcare providers.

Will the OCR continue to provide guidance on HIPAA compliance and the relationship between HIPAA and rapidly changing technology?

It’s hard to say.

What is clear, though, is that this uncertain air doesn’t leave room to let regulations slide. Doing so could result in major penalties for healthcare organizations down the line.

What is clear, though, is that this uncertain air doesn’t leave room to let regulations slide. Doing so could result in major penalties for healthcare organizations down the line.

The OCR Lives On

Despite the unclear political climate in regards to healthcare, HIPAA remains the law of the land.

Over the past few years, the OCR released a slew of documents and statements to help healthcare officials more consistently comply with HIPAA regulations.

Though we still await the promised guidance as to dealing with text messaging and social media, these documents helped clear up misunderstandings and laid roadmaps for new healthcare organizations working to navigate HIPAA enforcement.

Now, the OCR has turned its attention to the challenges presented by the aspects of medical privacy not anticipated at the time HIPAA was created.

New OCR director Roger Severino has identified new ways to adapt HIPAA enforcement to the ever-evolving threats.

In light its new focus, the OCR has explicitly identified two target areas moving forward this year:

  1. Audits (learn how to prepare for these here)
  2. Modernizing HIPAA in light of innovation and changing technology in healthcare

What This Means for the Future of HIPAA Enforcement

In the past two years, OCR has been exercising its muscles with groundbreaking strength.

That isn’t expected to change.

In 2017, the OCR has released details of its first quarter’s four HIPAA enforcement penalties, together totaling over $11 million:

  1. Presence Health, an Illinois healthcare network, was fined $475,000 for an incident that occurred over 3 years ago. The network had failed to notify its patients of a breach in security within the required 60-day timeframe. The penalty was the first HIPAA enforcement related to the prescribed timeline of breach notification.
  2. MAPFRE, an insurance company, was fined $2.2 million after an unsecured USB device containing patient health information for over 2,000 people was stolen. In a subsequent investigation, the OCR found that MAPFRE performed below HIPAA’s standards in risk assessment, risk management and the safeguarding safeguard portable devices. Additionally, the OCR found that MAPFRE had inadequate security training available to its employees.
  3. The Children’s Medical Center of Dallas was fined $3.2 million after the OCR learned that hadn’t taken measures to secure portable devices until 2013, years after they were made aware of the risks. Their lack of security regulations resulted in multiple breaches affecting the patient health information of over 5,000 individuals.
  4. Memorial Healthcare System, a cooperation based in Florida, was fined $5.5 million after an incident involving improper disclosure of over 115,00 individuals’ patient health information. This tied the Advocate Healthcare Network’s August 2016 fine for the record of highest penalty in the history of HIPAA enforcement.

To put this in perspective, 2016 saw a total of $20 million in fines – and that broke records at the time.

That means in just the first two months of this year, the fines accumulated have hit more than half of last year’s total.

What Should You Do Now?

In light of this year’s HIPAA enforcement penalties, it certainly is not the time for healthcare organizations to sit back on compliance regulations.

While the Trump Administration has hinted at possibly reducing the regulations to relieve their projected burden on healthcare providers, for now at least, the safest bet is to assume the regulations will continue, full force ahead.

The OCR has certainly done nothing to indicate otherwise.

That means it’s time to buckle down on HIPAA security.

Need a team of experts to help you protect yourself and your organization? Contact us now.

If you are interested in a cost-effective HIPAA compliance service package, click here to learn more.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top