2017 HIPAA Enforcement – Appears Not To Be Slowing Down

Snell & Wilmer
Contact

To state the obvious, there has been some uncertainty regarding how the Trump Administration will affect federal agency enforcement efforts.  However, at least, in regard to HIPAA Privacy and Security, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), appears to be unchanging in its previous course.

In the first four months of 2017, OCR has already announced seven settlements with covered entities and business associates with fines totaling over $14 million.  For some context, OCR assessed over $23.5 million in 2016, which was a record-breaking year.  These settlements are in addition to Phase 2 of OCR’s Privacy, Security, and Breach Notification Audit Program, which started in 2016 and is likely still underway.

The Phase 2 audits are being conducted in three rounds.  Rounds 1 and 2 were remote desk audits of covered entities and business associates, and examined compliance with specific requirements of the Privacy, Security, or Breach Notification Rules.  Although Round 2 was expected to start in late September 2016 and end by December 2016, OCR delayed the start of Round 2 until after the 2016 Thanksgiving holiday. Round 3 is onsite audits of covered entities and business associates and will examine a broader scope of requirements from the HIPAA Rules than desk audits.  Some desk auditees may be subject to a subsequent onsite audit.

In late March, the Trump Administration appointed Roger Severino as the Director of OCR.  Mr. Severino comes from the Heritage Foundation, a conservative think tank.  Generally it is too soon to determine how the new leadership will affect OCR’s HIPAA enforcement efforts in the long term.  However, given the fact that HIPAA enforcement is not a major partisan issue, particularly when compared to health reform, it is possible that OCR may continue its course.

Therefore covered entities and business associates may be well advised to continue their course in HIPAA compliance efforts, which include, amongst other things, implementing privacy and security policies and procedures, ensuring business associate agreements are executed, and conducting risk analysis to assess the risks and vulnerabilities of e-PHI.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Snell & Wilmer

Written by:

Snell & Wilmer
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Snell & Wilmer on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide