The Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Enforcement of the Privacy Rule began on April 14, 2003, while enforcement of the Security Rule began on April 20, 2005. Furthermore, covered entities and business associates were required to comply with the HIPAA Breach Notification Rule beginning on September 23, 2009.1

The OCR relies on complaints filed by third parties, self-reports of data breaches, and media reports to identify targets for compliance reviews. If a covered entity or business associate is found to have committed serious violations during a compliance review, HHS may require the entity to enter into a “Resolution Agreement” (“RA”) that may include a fine and a corrective action plan.

What to consider when assessing the impact of an OCR investigation:Trends in Enforcement Activities and Fines207

  1. While enforcement activities and fines are projecting upward, they appear stable between 2014-2015.
  2. Only a minority of investigations lead to fines and penalties.
  3. Cooperation in government-initiated compliance reviews is key to reducing the risk of a penalty.
  4. Having multiple incidents, even if minor on their own, tends to trigger an investigation and lead to fines and RAs.
  5. All entities, regardless of size, are at risk of being found non-compliant and facing large fines in an investigation.