compliance team

HIPAA Enforcement in 2021

Updated September 11, 2021

HIPAA enforcement has not slowed in 2021. The Office for Civil Rights (OCR), the HIPAA enforcement agency, has begun dozens of  investigations, for general compliance review, breaches, and the Right of Access, among other topics.

HIPAA Right of Access is Still a Priority

Five settlements for failure to meet the HIPAA Right of Access requirements have been announced during the first quarter of 2021. Since 2019 there have been twenty settlements under the Right of Access Initiative established in 2019. Six of the seven in 2021 have been announced since President Biden took office, supporting our view that HIPAA is Not Political.

We expect more Right of Access settlements will be announced by OCR in coming days and weeks. When they’re announced this blog will be updated.

OCR Investigates Breaches and Complaints

Since January 1, OCR has started at least 115 investigations of healthcare data breaches affecting 500 or more individuals. HIPAA requires organizations to report these large breaches to the U.S. Department of Health and Human Services (HHS) and HHS publishes them on the web, also required by law. OCR automatically investigates these.

OCR also starts investigations based on the thousands of individual complaints they receive each year. They received over 27,000 complaints in 2020 and expect more than 28,000 in 2021, according to OCR’s Serena Mosley-Day, Senior Adviser on HIPAA Compliance and Enforcement at the HIPAA Summit last week.

Top HIPAA Enforcement Issues

At the HIPAA Summit, Day also named the recurring compliance issues OCR sees.

  • Individual Right to Access
  • Risk Analysis
  • Business Associate Agreements
  • Access Controls
  • Audit Controls
  • Information System Activity Review

HIPAA Enforcement Affects all Types and Sizes of Organizations

HIPAA Right of Access Settlements

Similar to past settlements, the following Right of Access cases announced in 2021 represent a variety of covered entities, small, large, nonprofit and for profit, from behavioral health to primary care to plastic surgery.

All settlements thus far have included a payment of fines, and a corrective action plan (CAP), requiring two years of oversight by OCR.

$200,000 – Banner Health

Banner Health, a non-profit organization, is one of the largest health care systems in the United States and is based in Phoenix. It operates 30 hospitals and numerous primary care, urgent care, and specialty care facilities. (agreed to a two-year CAP)

$75,000 – Renown Health, P.C

Renown Health, P.C. is a private, not-for-profit health system in Nevada. (agreed to a two-year CAP)

$70,000 – Sharp HealthCare

Sharp HealthCare, doing business as Sharp Rees-Stealy Medical Centers, is located in California and provides health care through four acute-care hospitals, three specialty hospitals, three affiliated medical groups, and a health plan. (agreed to a two-year CAP)

$65,000 – Arbour Hospital

The Arbour, Inc., doing business as Arbour Hospital is located in Massachusetts and provides behavioral health services.  (agreed to a two-year CAP)

$30,000 – Village Plastic Surgery

Village Plastic Surgery is located in New Jersey and provides cosmetic plastic surgery services. (agreed to a two-year CAP)

$5000 – Diabetes, Endocrinology & Lipidology Center, Inc.

DELC is is a West Virginia based healthcare provider that provides treatment for endocrine disorders. (agreed to a two-year CAP)

$80,000 – Children’s Hospital & Medical Center

CHMC is a non profit pediatric hospital with 145 beds located in Omaha, Nebraska. (agreed to a one-year CAP)

OCR Investigations

Investigations can Mushroom if Gaps Persist

Investigations begin for a variety of reasons. The mandated breach reports automatically generate investigations involving 500 or more, but individual complaints on relatively small issues are also a source. Know the breach notification steps so you can show OCR you can meet compliance requirements.

Data breaches and individual complaints may be a sign of gaps in other areas and OCR wants to learn if other issues are present. OCR offers technical assistance to organizations being investigated, which if followed, can help organizations improve and may lessen the severity of any enforcement outcome. An investigation should be taken seriously, and responses should be prompt and complete.

An Untrained Workforce is a Vulnerability

Of the 115 large breaches reported since January 1, well over half of them – 78 – were caused by a hacking/IT incident attacking mostly email or network servers. Email by itself was the location of almost half the breaches so far this year, either through hacking or another type of unauthorized access or disclosure.

There are several remedies for protecting email security and increasing HIPAA compliance. Good quality malware protection is a start. Applying appropriate levels of security access to different staff positions is important. Strong password policies are essential. But one of the easiest and lowest tech remedies that can help the most is security awareness training for the workforce. Hackers use social engineering, a fancy term for basic motivation psychology, to get people to click, open, and reply to email with information. Security awareness should be taught to everyone, on a regular basis to teach and remind them how to recognize and avoid intrusion and theft.

Best Practices Recommended by OCR

Avoid HIPAA Enforcement with Prevention

HIPAA enforcement is not going away.

By far the most effective way to stay ahead of HIPAA enforcement is to do an annual HIPAA Risk Analysis and follow a Risk Management Plan throughout the year.

In every settlement agreement under the Right of Access Initiative published so far, OCR noted that the organization did not have an adequate Risk Analysis – policies were lacking, workforce training was missing and the inventories of protected health information (PHI) locations were incomplete.

Each of the best practices recommended by OCR listed above are included in The HIPAA E-Tool® Risk Management module. If you need help, let us know.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms & Conditions | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124