OCR on HIPAA enforcement: 'We may have more fines in the future'

Covered entities and their business associates continue to struggle with HIPAA compliance, with the Health and Human Services Department's Office for Civil Rights (OCR) receiving almost 20,000 complaints a year, according to Iliana Peters, the agency's senior advisor for compliance and enforcement.

“People are very concerned [about] the privacy and security of their information,” Peters said Thursday at a conference co-hosted by OCR and the National Institute of Standards and Technology in the District of Columbia. OCR investigations also stem, not only from complaints, but also from breach notifications reported by covered entities as required by HIPAA, news reports, or information from other government agencies.

Some of the most common issues in enforcement that OCR is dealing with, she said, include:

  • A lack of business associate agreements between business associates (BAs) and covered entities
  • Agreements that are not updated to include the requirements of the HITECH Act
  • Incomplete or inaccurate risk analyses
  • Failure to manage an identified risk or do so within a reasonable time frame
  • Lack of transmission security
  • Insider threats
  • Improper disposal of patient information
  • Insufficient data backup and contingency planning

Peters also noted that this year OCR has already resolved 12 matters, 11 by settlement agreement and one civil monetary fine, with recoveries of more than $20 million. In 2015 the totals were only $6.2 million. The settlement agreements, where entities pay far less so that the entity takes corrective action, are meant to be instructive to the industry. A fine, she said, is imposed when necessary.

“We may have more fines in the future,” Peters warned.

OCR will be providing more guidance to help entities and BAs, noted Deven McGraw, OCR’s deputy director for health information privacy, also speaking at the conference. The guidances will address, among other things, the distinction between a request for records from a third party versus from an individual patient, text messaging, sharing information with a patient’s friends and family, and social media.

McGraw also pointed out that the desk audits in Phase 2 of the HIPAA audit program are underway, but that the results were too early to share. Audits of BAs, she said, will begin in November.