Inadequate OCR Technology and Policy Result in Few Consequences for Repeat HIPAA Violators

The Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) is the federal agency tasked with enforcing the Health Insurance Portability and Accountability Act (HIPAA). HIPAA, as most folks reading this know, requires health care providers and other covered entities to protect the privacy and security of an individual’s protected health information (PHI). OCR has broad enforcement authority and wide latitude in deciding how to handle complaints alleging violations of HIPAA’s privacy, security, and breach notification rules. OCR can resolve a complaint privately and informally, as it does in many instances. However, OCR also has the authority to impose fines of up to $50,000 per violation, with an annual maximum of $1.5 million. In the most egregious cases, OCR can seek criminal charges against violators. According to a privacy advocate’s evaluation of federal and state public records, although OCR receives thousands of complaints a year (almost 18,000 in 2014 alone), it imposes few financial penalties – less than 30 violators have agreed to pay fines since 2009 according to OCR public records.

Many HIPAA violations each year are committed by repeat offenders. Organizations with the most HIPAA violations are large health care providers, laboratories and pharmacies with numerous locations that serve millions of patients each year. In fact, the U.S. Department of Veterans Affairs has been one of the biggest offenders. Privacy advocates suggest that the OCR has been too lenient in its enforcement efforts and that the sheer number of violations by these repeat offenders signal organizational failures that require more strict enforcement and punitive action by OCR to gain compliance.

Deputy Director for Health Information Privacy at OCR Deven McGraw has stated that the agency’s top priority is investigating “large breaches” that affect at least 500 people, but that OCR needs to do more to curb HIPAA violations by repeat offenders . McGraw largely blames the agency’s case management system as an impediment. This is consistent with two reports issued in late 2015 by the Department of Health and Human Services (HHS) Inspector General that fault the OCR’s case-tracking system for its inability to proactively track repeat offenders.

The studies also identified other inadequacies in policy and procedure that contributed to the inability to adequately track and address repeat violations, including:

  • OCR does not enter information related to small breaches (affecting less than 500 people) in its case-tracking system, which limits its ability to track covered entities with multiple small breaches;
  • 26 percent of all large breach complaints investigated by OCR had incomplete documentation related to corrective action taken by the covered entity;
  • Nearly 30 percent of investigators rarely or never checked in the case-tracking system whether the covered entity had any previous large breaches; and
  • OCR did not have a standard way to enter covered entities’ names in the case tracking-system, limiting investigators’ ability to search and identify repeat offenders while investigating a complaint.

The HHS Inspector General recommended that OCR should (1) begin tracking all breaches in its case-tracking system, not just the large breaches; (2) maintain complete documentation of corrective action; (3) develop an efficient method in its case-tracking system to search for and track covered entities that reported prior breaches; (4) develop a policy to require OCR staff to check whether covered entities reported prior breaches; and (5) continue to expand outreach and education efforts to covered entities. OCR concurred with all recommendations.

OCR claims it is taking steps to fix the problems identified in the studies. Public pressure on the agency to address repeat offenders that continue to violate HIPAA with little consequence is intensifying. As a result, we expect that OCR will be more aggressive in the future responding to complaints, particularly for repeat offenders. We also anticipate that the use of fines and other punitive measures will become more widespread. The fact that the Federal Trade Commission (FTC) also continues its separate efforts to investigate and enforce health care data breaches as “unfair” acts or practices under Section 5(a) of the Federal Trade Commission Act (FTC Act), despite dismissal of the FTC’s complaint against LabMD for a possible data breach of 1,718 patients’ insurance claim information, (DataPoints: Reading the Section 5(a) Tea Leaves: What the end of 2015 may suggest about the FTC priorities in 2016), means that covered entities must be even more vigilant about healthcare data, given anticipated regulatory enforcement from both OCR and FTC.

Carol Ewald Bowen

About Carol Ewald Bowen

For over 20 years – including eight years as in-house counsel for a large national health care company – Carol Bowen has focused exclusively on representation of health care providers and other stakeholders in the health care industry. Her legal knowledge, coupled with a practical and responsive approach, helps clients achieve their business goals within the complex health law framework. Ms. Bowen’s clients include major health care companies, hospitals, physician groups, entrepreneurial health care businesses and national lenders within the industry. Ms. Bowen leads the Firm’s Health Law practice in the Charlotte office. She is a frequent speaker for client and industry groups on health care issues and has served as an editorial consultant to several health care publications.


No comments yet.

Leave a comment

Your email address will not be published. Required fields are marked *

Welcome to Data Points!

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. Moore & Van Allen’s Privacy & Data Security Group recognizes the challenges clients face in the effort to stay abreast of such volatility. “Data Points” seeks to educate by providing transparent and cutting-edge insight on the most critical issues and dynamics. Our goal is to inform business decision-makers who are navigating these waters about the information they must protect, and what to do if/when security is breached.

Connect To Recent Authors

  • Karin McGinnis:  View Karin McGinnis' Bio View Karin McGinnis' LinkedIn profile
  • Todd Taylor:  View Todd Taylor's Bio View Todd Taylor's LinkedIn profile
  • Brandon Gaskins:  View Brandon Gaskins' Bio View Brandon Gaskins’ LinkedIn profile
  • Robert Sumner:  View Robert Sumner’s Bio
  • Carol Bowen:  View Carol Bowen's Bio View Carol Bowen’s LinkedIn profile

  • Subscribe to Blog via Email

    Follow MVA


    Blog Topics


    Interested In Other Topics?

    Tell us what else you are interested in here.

    Our Privacy & Data Security Practice

    Moore & Van Allen has a Privacy & Data Security practice with the depth and breadth to advise the multitude of business industries and practices impacted, including sales, human resources, data maintenance and storage, IT, legal and compliance, labor and employment, health care, finance, cross-border transactions, energy and litigation. All require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. To help our clients successfully navigate their data security challenges and manage their risk in these areas, our multi-disciplinary team draws on their deep experience in addressing data privacy and information security obligations and disputes. Read More About Our Practice and Meet the MVA Privacy & Data Security Team.


    No Attorney-Client Relationship Created by Use of this Website: Neither your receipt of information from this website, nor your use of this website to contact Moore & Van Allen or one of its attorneys creates an attorney-client relationship between you and Moore & Van Allen. As a matter of policy, Moore & Van Allen does not accept a new client without first investigating for possible conflicts of interests and obtaining a signed engagement letter. (Moore & Van Allen may, for example, already represent another party involved in your matter.) Accordingly, you should not use this website to provide confidential information about a legal matter of yours to Moore & Van Allen.

    No Legal Advice Intended: This website includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. You should contact an attorney for advice on specific legal problems. (Read All)