Never mind Big Brother, OCR is watching! HIPAA Enforcement Developments

It was a busy 2014 for the Office for Civil Rights (OCR). OCR entered into several resolution agreements and corrective action plans last year. Pay attention to the enforcement trend Covered entities (CE) and business associates (BA)! No matter how large or small, OCR is taking aim at CEs and likely soon BAs when it comes to HIPAA compliance. If you experience a breach and report it to OCR, be ready to receive a letter demanding documentation of compliance.

CEs & BAs: It’s a New Year; It’s a New Day

As you, CEs and BAs, enter 2015, make every effort to avoid similar costly compliance gaps to avoid the dreaded civil penalties, monetary settlements and corrective action plans. As a (painful) reminder, some of the 2014 OCR settlements include:

  • In the largest HIPAA settlement to date, New York and Presbyterian Hospital and Columbia University, collectively, paid the government $4.8 million after electronic protected health information of 6,800 individuals inadvertently became accessible on internet search engines.
  • Skagit County, Washington, agreed to a $215,000 settlement after electronic protected health information of 1,581 individuals found its way onto a publicly accessible county server.
  • Anchorage Community Mental Health Services will pay $150,000 after the electronic protected health information of 2,743 individuals became compromised after malware attacked its information technology systems.
  • Concentra Health Services and QCA Health Plan, Inc. agreed to pay OCR a total of $1,975,220 following the theft of unencrypted laptops that came to the attention of OCR following the report of breaches of patient information.

Clearly, OCR was very active last year; the above are only four examples. CEs and BAs, you can expect greater scrutiny in 2015. Although the official 2014 data isn’t in yet, in 2013 OCR received 12,915 complaints, a 23.5% increase over 2012. In 2013, OCR resolved 14,300 complaints, a 52% increase over 2012. Will that upward trend continue? Why not be wise and take heed, just in case.

OCR is serious about HIPAA compliance. You can read more about other actions taken by OCR in 2014 here. It’s good to remember that compliance is not just a good idea, but also that non-compliance can get very expensive very quickly. If you only keep one resolution in 2015, let it be “To get – and remain – in compliance.”

Chris Apgar, CISSP, CEO, is a frequent educator and panelist for OMA, HCCA and other industry-leading organizations. Chris is also available as an expert witness and columnist. For all of your privacy and security compliance consulting needs, call the HIPAA experts at Apgar & Associates: 503-384-2538.