HHS Attorney: Major HIPAA Fines and Enforcement Coming


As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR. But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months.

According to Law360, Jerome B. Meites, Chief Regional Civil Rights Counsel Region V – Chicago, indicated at a recent American Bar Association (ABA) conference that OCR’s last 12 months of enforcement activity will “pale in comparison to the next 12 months.” To put that into perspective, consider that since June 1, 2013, HHS OCR has published nine resolution agreements that have resulted in over $10 million in monetary settlements, including a record $4.8 million monetary settlement announced in May 2014. “Knowing what’s in the pipeline, I suspect that that number will be low compared to what’s coming up,” Mr. Meites said.

When asked by Law360 as to why the increase in activity, Mr. Meites pointed to previous statements made by HHS OCR regarding an increasing desire to send strong messages – statements like the one made by OCR Director Leon Rodriguez at the announcement of the Final Rule:

“The final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

“They think they can affect the industry with high-impact cases,” Mr. Meites added. The increase in OCR enforcement activity may be attributable to OIG’s November 2013 report regarding OCR oversight and enforcement of the HIPAA Security Rule. The report focused on the shortfall in OCR’s action to ensure covered entity compliance with the Security Rule.

At the ABA conference, Law360 also reported that Mr. Meites discussed the next round of HIPAA audits, which he expected would begin later this year and end in 2015. According to Mr. Meites, HHS OCR is still working to identify which organizations will be audited from a list of over 1,200 candidates. Eight hundred of these candidates are covered entities—health care providers, health plans, or health care clearinghouses—and the remaining 400 being the business associates that store or process the information maintained by those covered entities. The audit firm KPMG noted at the NetDiligence conference in Philadelphia on Friday that HHS has not indicated how it will select the business associates.

Law360 also reported that Mr. Meites had some words of advice regarding HIPAA compliance. “Portable media is the bane of existence for covered entities,” Mr. Meites said. “It causes an enormous number of the complaints that OCR deals with.” Mr. Meites reportedly went on to note that failure to perform a comprehensive risk analysis, as required under HIPAA, has factored into most of the cases involving monetary settlements. “You really have to think carefully about what a risk analysis involves, and it can’t just be the obvious,” Mr. Meites said. “Everywhere in your system where [patient information] is used, you have to think about how to protect it.”

Based on the resolution agreements issued to date, the last round of HIPAA audits, as well as Mr. Meites’ statements at the ABA conference, covered entities and their business associates must continue to evaluate portable media, analyze risk, conduct ongoing risk management, and review routine information system activity as part of an effective HIPAA security compliance program. The Security Risk Analysis continues to be one of the most important aspects of the HIPAA security program, including during an OCR investigation.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.