Will OCR Issue Fines for Non-Compliance if HIPAA Violations are Discovered?

There are two aspects of HIPAA Rules that continue to cause problems for covered entities: Risk analyses and risk management. These two aspects of HIPAA are fundamental elements of the HIPAA Security Rule.

If errors are made during a risk analysis, or the risk analysis is not conducted at all, covered entities will be unaware of vulnerabilities that could be exploited by cybercriminals or malicious insiders to gain access to ePHI. When risks are identified, it is essential that they are managed and reduced to an acceptable level. The failure to address those risks will leave the door wide open and ePHI will be exposed.

Risk analysis failures were common during the first phase of compliance audits in 2011/2012. If covered entities are still failing to conduct risk analyses and manage risks in 2016 and 2017, OCR could take action and issue financial penalties.

Last year, OCR increased its enforcement activity. More settlements were reached with covered entities to resolve HIPAA violations than in any other year since the Enforcement Rule came into effect. Last year there were 12 HIPAA settlements agreed and one Civil Monetary Penalty issued. OCR is now aggressively enforcing HIPAA Rules.

The first round of HIPAA compliance audits in 2011/2012 were conducted shortly after the HITECH modifications to HIPAA became enforceable. The first round of audits was therefore more focused on education and information gathering. No fines were issued, even though widespread non-compliance was uncovered. Now, five years on, covered entities have had plenty of time to respond and comply with the change to HIPAA Rules. OCR is not expected to be as lenient this time around.  The HIPAA 2017 audits are not intended to be a witch hunt, but OCR is unlikely to turn a blind eye if serious HIPAA compliance issues are uncovered.

OCR is also under considerable political pressure to increase its enforcement activities and hold covered entities accountable for failing to comply with federal regulations. Some HIPAA settlements can therefore be expected from the 200+ compliance audits conducted in 2016 and 2017.

Source :