Printer Friendly, PDF & Email

'Low-hanging fruit' and other recent HIPAA compliance items

Rachel V. Rose ( is Attorney at Law, PLLC, in Houston, Texas. Patrick Ouellette ( is Assistant General Counsel at the Massachusetts Executive Office of Health and Human Services.

Recently, Roger Severino, director of the Department of Health & Human Services (HHS) Office for Civil Rights (OCR), indicated that in relation to the Health Insurance Portability and Accountability Act of 1996 (HIPAA),[1] “[f]or enforcement purposes, there’s still a lot of low-hanging fruit.”[2] The 2019 year-end trend of OCR issuing fines for violations of the Privacy Rule,[3] the Security Rule,[4] as well as the intersection of various state biometric and privacy laws,[5] highlights the value of compliance and how it ultimately reduces the risk of a potential OCR enforcement action.

From September through December 2019, OCR issued several financial penalties related to Privacy Rule[6] violations. Importantly, two cases (Bayfront Health St. Petersburg[7] and Korunda Medical LLC cases[8] ) related to failures to provide patients access to their own medical records within the time frame and fee structure prescribed by HIPAA, resulting in the first enforcement actions and settlements under OCR’s Right of Access Initiative. The Privacy Rule also rears its head in times of natural disasters, infectious disease outbreaks, and other emergencies. For example, the COVID-19 outbreak serves as a reminder to providers as to what can and cannot be disclosed, as well as whom it may be disclosed to.

This document is only available to members. Please log in or become a member.