Theresa Defino at Health Care Compliance Association (HCCA)

‘I Really Wanted to Stay’: Amid Success, Regrets, OHRP’s Kaneshiro Hopes Agency Will Be Rebuilt

When Jerry Menikoff retired at the end of 2022 after leading the HHS Office for Human Research Protections (OHRP) for 14 years, he left behind an agency limping along with 20 employees, less than half of what it needed. For...more

5/28/2025 / Biden Administration , Compliance , Department of Health and Human Services (HHS) , Employees , Enforcement , Federal Funding , Government Agencies , Hiring & Firing , National Institute of Health (NIH) , OCR , Office for Human Research Protections (OHRP) , Regulatory Oversight , Trump Administration

Former OCR Director Fontes Rainer Reflects On ‘Imperfect’ RSP Law, Urges Final Security Reg

In October, the HHS Office for Civil Rights (OCR) fined Providence Medical Institute (PMI) $240,000, an amount that reflected a 20% discount for having “recognized security practices” (RSPs) in place. But many more covered...more

5/12/2025 / Business Associates , Compliance , Covered Entities , Data Breach , Department of Health and Human Services (HHS) , Enforcement Actions , Health Information Technologies , Health Insurance Portability and Accountability Act (HIPAA) , HIPAA Privacy Rule , HIPAA Security Rule , OCR , Penalties , Privacy Laws , Regulatory Reform , Security and Privacy Controls , Trump Administration

And Then There Were Nine: Disappearing OHRP To Join Enforcement Agency; NIH Cuts Outlined

When it comes to changes roiling the federally supported research landscape, April offered no letup from the first three months of the year; if anything, the pace and magnitude increased. In one instance, an agency—the HHS...more

5/9/2025 / Budget Cuts , Compliance , Department of Energy (DOE) , Department of Government Efficiency (DOGE) , Department of Health and Human Services (HHS) , Employees , Enforcement , Government Agencies , Grants , Institutional Review Board (IRB) , Investigations , National Institute of Health (NIH) , Office for Human Research Protections (OHRP) , Popular , Regulatory Oversight , Regulatory Reform , Research and Development , SACHRP

OCR Loses Staff, Faces Move to New ‘Enforcement’ Office; Will HIPAA Focus, Independence Suffer?

Today, the HHS Office for Civil Rights (OCR) stands shoulder-to-shoulder with the likes of the Office of Inspector General and Office of General Counsel, one of just a dozen or so agencies reporting directly to the secretary....more

4/15/2025 / Budget Cuts , Charter Schools , Compliance , Cybersecurity , Data Privacy , Department of Health and Human Services (HHS) , Enforcement , Enforcement Actions , Federal Funding , Health Care Providers , Hiring & Firing , Medical School , OCR , Patient Privacy Rights , Patients , Privacy Laws , Regulatory Requirements , Trump Administration

New NIH Head: Indirect Payments ‘Tips’; Republican Senator Calls Them ‘Grift’

Research universities have had one less worry (at least temporarily) since Judge Angel Kelley of the U.S. District Court for the District of Massachusetts granted a preliminary restraining order prohibiting NIH from imposing...more

4/1/2025 / Compliance , Congressional Committees , Federal Funding , Government Agencies , Healthcare , Legislative Agendas , Regulatory Reform , Research and Development , Scientific Research , Transparency , Universities

$1.5M Warby Parker Fine a Holdover; OCR Focuses On Men in Sports, Antisemitism, ‘Biological Truth’

Nearly six years to the day that Warby Parker reported a breach affecting nearly 200,000 individuals, the HHS Office for Civil Rights (OCR) imposed a $1.5 million fine on the eyewear giant. Investigated by OCR under the Biden...more

3/12/2025 / Business Associates , Compliance , Covered Entities , Cybersecurity , Data Breach , Data Privacy , Data Protection , Enforcement Actions , Health Care Providers , Health Insurance Portability and Accountability Act (HIPAA) , Healthcare , OCR , PHI , Privacy Laws , Trump Administration

‘Waking Up With Panic Attacks’: NIH 15% Plan Caps Tumultuous Weeks Under New Administration

If NIH succeeds in imposing an across-the-board indirect cost rate of 15%, rough estimates indicate the University of Michigan could lose $119 million a year. Emory University could be down $75 million. For the University of...more

We’ll Take the Fine: OCR’s ‘Unwarranted,’ Costly Demands Prompted Hospital’s $538K Payment

The saga that led Children’s Hospital Colorado to accept a fine of more than $500,000 imposed by the HHS Office for Civil Rights (OCR) began on July 11, 2017, when a physician’s email account containing details on 3,300...more

2/7/2025 / Civil Monetary Penalty , Compliance , Cybersecurity , Data Breach , Data Privacy , Department of Health and Human Services (HHS) , Enforcement Actions , Health Insurance Portability and Accountability Act (HIPAA) , Hospitals , OCR , PHI , Privacy Laws , Risk Management

Delayed Action on Misconduct Costs Firm $4M; FCA Whistleblower Flagged Earlier Application

Scientist and pharmaceutical researcher Andrew P. Mallon—who first reported to NIH and others in 2016 his suspicions that then-Athira Pharma CEO Leen Kawas falsified data in published papers—filed the whistleblower suit...more

1/27/2025 / Academic Misconduct , Compliance , Corporate Misconduct , Department of Health and Human Services (HHS) , Department of Justice (DOJ) , Enforcement Actions , False Claims Act (FCA) , Fraud , Medical Research , National Institute of Health (NIH) , OIG , Pharmaceutical Industry , Regulatory Oversight , Research Funding , Scientific Research , Settlement , Whistleblower Awards , Whistleblower Protection Policies , Whistleblowers

With Nod to OCR, Indiana Inks $350K Deal With Dental Firm Following Hack

Recent federal enforcement actions have brought home the lesson that there’s really no acceptable reason for denying a patient timely access to medical records. Last year, for example, the HHS Office for Civil Rights (OCR)...more

1/22/2025 / Breach Notification Rule , Compliance , Cybersecurity , Data Breach , Data Privacy , Data Security , Enforcement Actions , Health Insurance Portability and Accountability Act (HIPAA) , Healthcare , Information Technology , OCR , Patient Privacy Rights , Privacy Laws , Privacy Rule , Ransomware , State Privacy Laws

Tackling Review of ‘Uninformative’ Studies, SACHRP Joins Quest to Boost Research Caliber

In 2023, after two years of study, an NIH task force proposed a series of recommendations to improve stewardship of research it funds, including that the agency adopt “stopping rules” that would allow poorly designed or low...more

1/7/2025 / Clinical Trials , Compliance , Coronavirus/COVID-19 , Healthcare , Institutional Review Board (IRB) , Investigations , Medical Research , National Institute of Health (NIH) , Policies and Procedures , Regulatory Requirements , Research and Development , Research Funding , SACHRP , Scientific Research , Secretary of HHS

Disclosure of Full Record to Employer Results in $35K Fine, Broad CAP; Echoes of 2017 HIV Case

It’s not immediately obvious why someone would want to disclose a health care test result as part of a job application. But one such request spurred a Pennsylvania entity to provide a lot more than that: it sent her whole...more

Penn State, GA Tech Cybersecurity Cases Join 10 Others FCA Attorney Has Under Seal

Note to research compliance officials still digesting news of Pennsylvania State’s recent $1.25 million settlement over False Claims Act (FCA) allegations related to cybersecurity and the government’s recent intervention in a...more

12/9/2024 / Cloud Service Providers (CSPs) , Compliance , Cybersecurity , Data Security , Department of Defense (DOD) , Department of Justice (DOJ) , DFARS , Enforcement Actions , False Claims Act (FCA) , Federal Contractors , Fraud , Government Seals , NIST , Noncompliance , Penn State , Research and Development , Settlement , Whistleblowers

Recognized Security Practices ‘Saved’ Covered Entity $60K of $300K Fine, But Which Ones Remain a Mystery

Covered entities (CEs) and business associates (BAs) may receive a “discount” for having recognized security practices (RSPs) in place when the HHS Office for Civil Rights (OCR) calculates financial penalties for Security...more

11/14/2024 / American Hospital Association , Business Associates , Compliance , Covered Entities , Department of Health and Human Services (HHS) , Enforcement Actions , Fines , Health Care Providers , Health Insurance Portability and Accountability Act (HIPAA) , Healthcare , HIPAA Violations , OCR , Personal Information , Privacy Laws , Regulatory Agenda , Regulatory Requirements , Security Rule

NIH Disavows China Initiative, Offers ‘Trusted Asians’ Support But Cases, Questions Linger

In recent months, NIH signaled that it, in the words of Director Monica Bertagnolli, understands the “difficult climate for our valued Asian American, Asian immigrant and Asian research colleagues who may feel targeted and...more

11/4/2024 / China , Compliance , Criminal Convictions , Criminal Prosecution , Department of Homeland Security (DHS) , Department of Justice (DOJ) , Disclosure , Failure To Disclose , False Claims Act (FCA) , Interference Claims , Investigations , Medical Research , National Institute of Health (NIH) , Research and Development , Scientific Research

In This Month’s E-News: November 2024

On the heels of a $7.6 million payment by Cleveland Clinic to settle allegations of False Claims Act (FCA) violations and unallowable sharing of passwords, Michael Lauer, NIH deputy director for extramural research, penned a...more

2nd Settlement Triggered by 2017 Ransomware Attack Costs WA Practice $100K; ‘Not a Breach’

Let’s review for a moment. It’s not a HIPAA violation to be a victim of ransomware. It’s not a HIPAA violation to pay a ransom. It’s up to the covered entity (CE) to determine if a security or privacy incident is a...more

10/16/2024 / Compliance , Covered Entities , Cyber Attacks , Cyber Incident Reporting , Data Breach , Data Protection , Data Security , Department of Health and Human Services (HHS) , Health Care Providers , Health Insurance Portability and Accountability Act (HIPAA) , Investigations , OCR , Patients , Popular , Privacy Laws , Ransomware , Regulatory Requirements , Settlement

New ORI Misconduct Rule Offers ‘Thoughtful’ Revisions in Wake of Highly Criticized NPRM

Now that the HHS Office for Research Integrity (ORI) has published its final rule revising 2005 regulations governing misconduct, compliance officials could be engaging in three activities simultaneously: checking to see if...more

10/1/2024 / Academic Misconduct , Compliance , Department of Health and Human Services (HHS) , Final Rules , Healthcare , HHS Office of Research Integrity (ORI) , New Regulations , NPRM , Policies and Procedures , Regulatory Requirements , Research and Development

ORI’s Garrity: Final Rule ‘Walks Delicate Line’

Sheila Garrity, director of the HHS Office of Research Integrity (ORI), recently spoke to RRC about the agency‘s new rule revising research misconduct regulations, which has a compliance date of Jan. 1, 2026 (see related...more

10/1/2024 / Academic Misconduct , Compliance , Department of Health and Human Services (HHS) , Final Rules , HHS Office of Research Integrity (ORI) , New Regulations , New Rules , NPRM , Policies and Procedures , Research and Development

Missing COI Program, Fabricated Outreach, Job, Health Records: The Many Types of Falsehoods

Report on Research Compliance 21, no. 9 (September, 2024) - How many types of falsehoods might sully applications for research funds and the studies they support? Unfortunately, the most recent semiannual report to...more

9/5/2024 / Academic Misconduct , Compliance , False Claims Act (FCA) , False Reporting , Fraud , Government Agencies , Health Care Providers , Healthcare , HHS Office of Research Integrity (ORI) , Medical Records , National Science Foundation , OIG , Research and Development , Settlement

In This Month’s E-News: September 2024

Report on Research Compliance 21, no. 9 (September, 2024) - Based on their review of public data on ClinicalTrials.gov, a bipartisan quartet of U.S. representatives has asked the Food and Drug Administration (FDA) to...more

9/5/2024 / Academic Misconduct , Artificial Intelligence , Audits , Biopharmaceutical , China , Clinical Trials , Department of Health and Human Services (HHS) , Disclosure Requirements , Food and Drug Administration (FDA) , Fraud , Health Insurance Portability and Accountability Act (HIPAA) , Institutional Review Board (IRB) , Life Sciences , National Science Foundation , Office for Human Research Protections (OHRP) , OIG , Reporting Requirements , Research and Development

Seven Years After Worldwide NotPetya Attacks, OCR Singles Out PA System, Collects Nearly $1M

Unleashed on June 27, 2017, NotPetya caused an estimated $10 billion in damages globally, among the costliest ransomware attacks in history. In 2018, the Trump administration—in tandem with the British government—blamed...more

8/21/2024 / Corrective Action Plans (CAPs) , Cyber Attacks , Cybersecurity , Data Protection , Electronic Protected Health Information (ePHI) , Health Care Providers , Healthcare , HIPAA Security Rule , Malware , OCR , Patients , Privacy Laws , Settlement

7/16/2024 / Attestation Requirements , Breach Notification Rule , Covered Entities , Data Privacy , Department of Health and Human Services (HHS) , Disclosure , Health Insurance Portability and Accountability Act (HIPAA) , Healthcare , Labeling , OCR , Patient Privacy Rights , Patients , PHI , Privacy Laws

Theresa Defino

Health Care Compliance Association (HCCA)

Readers' Choice Awards

Popular Topics by This Author

Latest Publications