Little is known about the possible deterrent effect of fines levied by the HHS Office for Civil Rights (OCR) for HIPAA violations on compliance; no studies appear to have been published on the topic. OCR’s settlements can lag the actual breach of violation by up to five years, perhaps diluting a potential impact.
Many of the newly announced settlements surround old problems, like lost or stolen unencrypted laptops and mobile devices, or a near-universal failure to conduct a security risk analysis—or one that meets OCR’s definition of “comprehensive.”
Certainly there has been an increasing number of large-scale breaches at the same time that OCR’s fines have reached a record high.
Nevertheless, compliance officials use OCR’s big fines to incentivize (or, essentially, scare) workers into following hospital and other privacy and security policies, a situation that may lead to a clampdown of legitimate information sharing, particularly with patients and families.
In recent years, OCR has sought to fight this urge, particularly when it comes to combating the opioid crisis. In 2017, OCR issued “clarifying guidance” specifying four specific situations in which providers can share information, particularly following an opioid-related hospitalization, with family members or friends without expressed authorization (“OCR: After an Opioid Overdose, Sharing Patient Information Can ‘Help Save Lives,’” RPP 17, no. 11).