Enforcement activity by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) showed no signs of slowing throughout 2018 and has already picked up speed in 2019. More recent and significant actions from OCR last year include the following:

• OCR began 2019 with a recovery of a $3 million settlement and corrective action plan based on two reported breach incidents: one was an update to security settings that unintentionally permitted access to an otherwise unprotected server, which made protected health information (PHI) accessible to anyone with access to the server; and the second breach resulted from a misconfiguration during a response to an information technology (IT) troubleshooting ticket, which exposed unsecured PHI over the internet. OCR also found that the provider failed to perform periodic evaluations in response to operational changes and failed to obtain a written business associate agreement (BAA) with a PHI contractor. OCR said the resolution is a reminder that “information security is a dynamic process, and the risks to electronic PHI (ePHI) may arise before, during and after implementation” of system changes.

• In the Spring of 2019, HHS OCR moved to quarterly newsletters, providing ongoing “recommendations” to those in the healthcare industry.

• An Administrative Law Judge (ALJ) granted summary judgment in OCR’s favor, upholding remedies it had imposed on a Texas hospital.

• In the Fall of 2018, OCR announced its largest monetary settlement to date.

• The agency recouped its record-breaking recovery total of $28.7 million in 2018 from 10 reported enforcement actions.