Gazelle Consulting

The Office for Civil Rights Beefs Up Enforcement Between 2015-2016

Just over 20 years ago, Bill Clinton signed HIPAA into law. Over that period, the act has been honed through a combination of legislation (such as the 2013 Omnibus Act) and enforcement rulings by the Office of Civil Rights (OCR). While legislation can instantaneously change the face of a law, enforcement rulings can have just as much effect on your practice and are more difficult to stay current with. Over the last two years, the OCR’s enforcement tactics and priorities have changed significantly. 


For many years HIPAA was regarded as a set of laws “with no teeth”, but that is now a dangerous misconception. In the last two years the OCR has collected $38,449,620 in settlements; approximately four times the amount they collected in the previous 18 years combined! Even within the last two years there’s been a significant uptick. They collected $27,974,400 in 2016, up from only $10,475,220 in 2015, almost three times as much.


While the magnitude of penalties for violations has risen significantly, the OCR has become more parsimonious about who they level them at. From 2015-2016 there have only been 1,303 complaints that resulted in the OCR requiring corrective action, only a fifth of the number from 2013-2014. This is not due to an increase in responsibility in covered entities, mind you. Over the last two years the OCR has instituted a policy in which they intervened early and provided technical assistance; in fact, 9,293 cases were mitigated this way.

When the Omnibus Act passed in 2013, a multitude of new businesses fell under HIPAA jurisdiction. In several new actions, the OCR are committing themselves to enforcing that extended reach:


  • They settled with a county government for the first time.

  • A judge ruled that a covered entity had to pay the OCR civil money penalties for only the second time ever.

  • They went after a hybrid entity for the first time.

  • They leveled their first enforcement for lack of timely breach notification.

Mostly importantly, in March 2016 the OCR launched Phase 2 of their HIPAA audit program. Drawing on the results of their 2011 and 2012 audits, the OCR will be looking at both covered entities and business associates. They will be looking at whether CAs and BAs meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will be primarily desk audits, although some on-site audits will be conducted.



The first and most important implication is the OCR is now a more meticulous enforcement body and is becoming increasingly powerful in its prosecution ability. That being said, they are showing more leniency and willingness to work with organizations that appear to be making a good faith effort. The presence of a robust HIPAA compliance program could make the difference between the OCR offering technical assistance or leveling a heavy fine. 


In the last two years, there have been 18 cases severe enough to merit a monetary settlement or fine. When we examine these cases some patterns emerge:


  • 13 were due to lack of encryption or proper firewall security protection.

    • 9 of the 13 were due to the loss or theft of unencrypted laptops or other physical storage devices of ePHI.

  • 3 cases involved old-fashioned paper PHI; ePHI can’t be your company’s only focus.

The OCR did their own analysis and published the top five reasons complaints require remediation:


  • Impermissible uses and disclosures of protected health information;

  • Lack of safeguards of protected health information;

  • Lack of patient access to their protected health information;

  • Lack of administrative safeguards of electronic protected health information; and

  • Use or disclosure of more than the minimum necessary protected health information.

You can be sure that these will be the first things that the OCR looks for when conducting an audit. Luckily, an organization-wide gap analysis can find these vulnerabilities before they get involved.


Article Take-Aways


  • In the last two years, HIPAA enforcement has increased several times over and can be expected to continue increasing.

  • Preparation is key for the possibility of an audit under the OCR’s Phase 2 Audit Program

  • The OCR is interested in all entities touched by HIPAA (including hybrid entities and business associates), not just large healthcare providers.

  • Organizations with small breaches should prioritize corrective actions as the OCR will be looking more closely in the future