After a pause of nearly two months, the Department of Health and Human Services Office of Civil Rights (HHS OCR) has resumed its announcement of settlements for alleged HIPAA violations, with four new settlement agreements announced between April 12 and May 10, 2017. The settlements include penalties ranging from $31,000 to $2.5 million:
These four matters were well on their way to resolution prior to the appointment of Roger Severino as the new Director of HHS OCR at the end of March. It is unclear what impact, if any, Director Severino had on the resolution of these cases or the penalty amounts paid by the organizations subject to these resolution agreements. Speaking at the Health DataPalooza conference in Washington at the end of April, Director Severino again indicated his desire to eliminate unnecessary regulatory burdens, but he also spoke of how his father had been a victim of identity theft. While it is too soon to say, this may suggest that while Director Severino and HHS OCR may begin to look for ways to reduce regulatory burdens, investigations triggered by data breaches may continue result in significant penalties.
The four settlements, taken together, are a reminder to organizations subject to HIPAA of the wide range of issues that can trigger an HHS OCR action and the importance of conducting risk assessments, executing business associate agreements, training workforce members (including senior management), sanctioning workforce members when appropriate, and implementing policies and procedures to comply with HIPAA’s other privacy and security requirements. The settlements that resulted from investigations of data breaches are another reminder that while breaches often are the trigger for an HHS OCR investigation, the resulting settlement can be, and often is, driven by other compliance failings alleged by HHS OCR as a result of its investigations. As a result, any organization handling protected health information, whether as covered entity or as a business associate, should review its HIPAA compliance program, policies, and procedures.