On May 7, 2014, the Department of Health and Human Services Office of Civil Rights (“OCR”) announced the latest in a string of increasingly aggressive settlements of alleged Health Insurance Portability and Accountability Act (“HIPAA”) violations. The twin settlements with New York and Presbyterian Hospital (“NYP”) and Columbia University (“CU”) are the largest settlements to date and resulted from a physician who tried to deactivate a server that resulted in patient information being available on the internet and indexed in web crawlers. Here are a few lessons that can be learned from these settlements:

  1. There are no excuses for noncompliance. OCR has undeniably switched focus from educating entities to punishing violations. In the past, OCR was seen by many as having a softer touch and more concerned with ensuring compliance; they are now decidedly in enforcement mode, with new settlements almost every month.
  2. Breach notification reporting has become OCR’s primary method of conducting compliance audits. A breach does not mean the end of the world; however, a breach that was caused by multiple HIPAA violations will garner significant scrutiny. OCR uses breach reports to identify companies for more detailed audits.
  3. Risk Assessments may be difficult, but are NOT OPTIONAL: Cursory risk assessments that focus only on certain risks are not acceptable. HIPAA requires more. The last several OCR settlements have all highlighted the failure to conduct a truly comprehensive risk assessment that looks at all risks and vulnerabilities to ePHI, regardless of where it is stored. It is not an easy task to do this, particularly for larger, complex organizations, but OCR is making is clear that no company can get away with phoning in a risk assessment.