Since 2015, the HHS Office for Civil Rights has sanctioned six healthcare covered entities with corrective action plans and financial fines for major violations of the HIPAA privacy and security rules.

While OCR’s operations are partly funded via HIPAA fines, the ramped up activity appears to be more about clearing a backlog of HIPAA investigations of breaches prior to 2013, say Valerie Breslin Montague and Laurie Cohen, both partners at the Nixon Peabody law firm.

Valerie Breslin Montague
Valerie Breslin Montague

Clearing the backlog of older investigations will let OCR move on to investigations of breaches that occurred after new rules in 2013 that gave the agency authority to regulate business associates, which are a major source of breaches and a current focus of OCR for compliance with HIPAA. The 2013 rules also included new requirements in such areas as marketing and genetic testing.

As this new phase of HIPAA compliance enforcement begins, it’s important for covered entities and business associates to realize that how they respond to initial OCR queries goes a long way toward how OCR will respond in kind.

Laurie Cohen
Laurie Cohen

When OCR investigates a breach, it looks at the totality of compliance and whether there is a culture in the organization around privacy and security. Organizations responding quickly to a breach and to OCR inquiries as it investigates the breach are demonstrating the appropriate culture, Breslin Montague notes.

OCR announcements of HIPAA fines and corrective action plans send a message to the industry, but also are an instructive moment, according to Cohen. Nixon Peabody uses the announcements to talk with clients about such issues as who is receiving their protected health information and has the client assessed the recipient’s ability to protect it, and the need for the client to regularly reassess their risk analysis.

For instance, OCR’s recent sanction of North Memorial Health Care, which included a $1.55 million fine and a corrective action plan, is instructive for other covered entities because of its emphasis on business associate agreements.

Also See: HIPAA violations lead to $1.55 million fine of hospital system

“Many covered entities take a prophylactic approach to managing their business associates agreements by sending such agreements to all of their vendors regardless of whether the vendors will be given access to PHI,” Nixon Peabody told clients in a recent notification. “The North Memorial Resolution Agreement, however, suggests that OCR expects covered entities to have a more deliberate process to assess who is and who is not a business associate.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access