OCR Chief Regional Counsel for Region V, Jerome Meites, has warned that enforcement activity over the past year will “pale in comparison” to the next 12 months. While Mr. Meites was not specific as to this pronouncement being limited to Region V, it may be important to note that Region V covers Illinois, Indiana, Michigan, Minnesota, Ohio and Wisconsin. This announcement follows a year with several significant HIPAA penalties and enforcement actions.
Over the past year, OCR has published nine resolutions agreements, including a recent $4.8 million monetary settlement against New York-Presbyterian Hospital and Columbia University. That monetary payment was the largest HIPAA settlement to date and resulted from two health care organizations failing to secure thousands of patients’ electronic protected health information held on their network.
With HIPAA audits resuming this fall, OCR is already sending a strong message to health care entities. In light of increasing activity in the area of HIPAA privacy and security enforcement, health care providers and business associates should take the necessary steps to ensure their HIPAA compliance programs are effective to protect health information and avoid potentially large penalties.