Printer Friendly, PDF & Email

State and federal HIPAA enforcement actions translate into compliance priorities

Kara L. Hilburger ( is Privacy Compliance & Digital Accessibility Team Leader, and Alexis L. Rose ( is Health Care Data Privacy Attorney at Beckage PLLC, Buffalo, NY.

Since 2003, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has imposed more than 100 civil monetary penalties, totaling over $131 million, for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).[1] Many recent enforcement actions have focused on right-of-access violations as part of OCR’s Right of Access Initiative.[2] However, the costliest enforcement actions resulted from breaches of electronic protected health information (ePHI), with more than half of those enforcement actions in the past two years settling for $1 million or more.[3]

Since late 2019–early 2020, OCR has shifted its focus to right-of-access cases and responses to the COVID-19 public health emergency.[4] However, that does not mean covered entities or business associates should let their guard down regarding other areas of enforcement or be left unprepared when the public health emergency exceptions are lifted—OCR is still active, state attorneys general (state AGs) have become more active in recent years, and it is anticipated enforcement actions could become more common under the new OCR Director Lisa J. Pino, who has a background in cybersecurity.

State AGs have brought a growing number of HIPAA enforcement actions, often resulting in massive financial penalties for covered entities and business associates.[5] Under the Health Information Technology for Economic and Clinical Health Act, states may bring enforcement actions on behalf of their residents for HIPAA violations.[6] Recently, multistate actions have been on the rise, with state AGs working cooperatively to more efficiently investigate and enforce violations.[7] Not only have state enforcement actions been on the rise, but often states require more prescriptive corrective actions.

Taking an in-depth look at the 40 most recent OCR and state enforcement actions, several patterns emerge. This article outlines those enforcement patterns and evaluates best practices to address common deficiencies in areas such as governance, risk analysis and management, policies and procedures, and technical safeguards. Finally, the article provides tips on mitigating legal risk by prioritizing compliance initiatives based on recent trends in HIPAA enforcement actions.

This document is only available to members. Please log in or become a member.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field