The Office for Civil Rights at the U.S. Department of Health and Human Services (HHS-OCR) had a record-breaking year in 2018 with Health Insurance Portability and Accountability Act (HIPAA) enforcement activity. HHS-OCR entered into 10 settlements and received summary judgment in a case before an Administrative Law Judge, totaling nearly $28.7 million in enforcement actions. According to the HHS-OCR Director, Roger Severino, this record year underscores the need for covered entities to be proactive about their HIPAA data security.
Here are three overarching themes from HHS-OCR’s 2018 HIPAA enforcement activity for HIPAA Covered Entities to consider:
- Several settlements indicate failures to obtain written business associate agreements from business associates that maintain protected health information (PHI) and electronic protected health information (ePHI) on behalf of Covered Entities.
- HHS-OCR is citing failures to conduct thorough risk analyses of potential risks and vulnerabilities to Covered Entities’ ePHI.
- PHI disclosures to the media are thoroughly assessed for compliance with the HIPAA exception.
If you have any questions about any of these HHS-OCR enforcement actions or would like to discuss HIPAA compliance more generally, please reach out to any member of the Drinker Biddle Health Care Group.