Roger Severino, Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), provides advice for HIPAA covered health care providers:

“When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information

According to OCR allegations, a small health care provider in North Carolina, Metropolitan Community Health Services, reported a data breach on June 9, 2011. The breach involved the impermissible disclosure of protected health information to an unknown email account affecting 1,263 patients. It is not clear when OCR’s investigation commenced, but it “revealed longstanding, systemic noncompliance with the HIPAA Security Rule…Metro failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.” Under the Resolution Agreement reached with OCR, Metro agreed to a two-year corrective action plan (CAP) and to pay $25,000.

The OCR considered that Metro is a Federally Qualified Health Center that provides a variety of discounted medical services to the underserved population in rural North Carolina, but that did not stop it from taking enforcement action against a relatively small covered entity. Other examples of enforcement actions against small health care providers include:

• In March 2020, a solo practitioner providing gastroenterological services agreed to pay the OCR $100,000 and to adopt a CAP to settle potential HIPAA violations. The OCR became aware of the alleged noncompliance when the provider reported to OCR a data breach involving a dispute with the provider’s business associate.
• In October 2019, the OCR alleged a small dental practice violated HIPAA when it responded to a patient’s complaints on Yelp, disclosing details of the patient’s treatment plan, insurance and cost information. The provider paid $10,000 and agreed to a CAP.
• In April 2017, a small, for-profit pediatric subspecialty practice paid OCR $31,000 and agreed to a CAP following an OCR compliance review during which OCR found that the provider did not have a “business associate agreement” with its data storage company.

HIPAA compliance is no doubt a significant challenge for large and small covered healthcare providers, and other covered entities and business associates. In addition, data breaches can be nearly impossible to prevent in all cases. However, these and other OCR enforcement actions suggest that with some relatively basic compliance measures, small providers can be more successful during OCR investigations. Here are some examples:

• Conduct a risk assessment that considers the threats and vulnerabilities to protected health information.
• Maintain written policies and procedures that address required administrative, physical, and technical safeguards required under the Security Rule.
• Provide training and improve security awareness for workforce members when they begin working for the organization and periodically thereafter.
• Maintain business associate agreements with all business associates.
• Document compliance efforts.

And, of course, evaluate compliance following a reported data breach and make the necessary improvements.