Printer Friendly, PDF & Email

On Heels of OCR’s Reduction In Fines, Congress Offers Its Views

In the roughly three months since the HHS Office for Civil Rights announced it planned to reduce the amount of fines imposed for all but the most serious HIPAA violations, OCR issued two settlements—but both were finalized before the change.

The health care privacy and security community, then, has yet to see how the recent decision by OCR Director Roger Severino plays out and, at the same time, what impact there might be on compliance.

Now Congress has entered the fray. Significant health care legislation is advancing in the Senate that calls for OCR, when dealing with HIPAA violators, to take into consideration whether a covered entity (CE) or business associate (BA) had “recognized security practices in place” for at least a year that would “mitigate fines” or “limit remedies” the agency might impose.

It could be argued that OCR already does this, but in recent years, particularly as its penalties have risen, the agency has stopped explaining how it arrived at settlement amounts. For example, last year OCR entered into a $16 million settlement with Anthem Inc. over a massive exposure of protected health information (PHI)—some 79 million records were involved. Severino said only that the “largest health data breach in U.S. history fully merits the largest HIPAA settlement in history” (“OCR Exacts Its Pound of Flesh From Anthem With $16 Million Settlement, Corrective Actions,” RPP 18, no. 11).

This document is only available to subscribers. Please log in or purchase access