First, the good news: The HHS Office for Civil Rights (OCR) is in the “end stages” of drafting a proposed rule to address burdens associated with notices of privacy practices and make other changes to presumably ease information sharing among providers, patients and their family members.
Now the potentially bad news for noncompliant covered entities and business associates: OCR is hoping to ramp up the enforcement cases it undertakes this year, because the numbers “send a message,” in the words of Timothy Noonan, OCR deputy director for health information privacy.
Noonan was among several OCR officials who recently spoke at the HIPAA Summit outside Washington, D.C., giving updates on various agency initiatives, reviewing trends in breaches, and discussing enforcement actions, including the year’s first for alleged HIPAA violations, announced March 3, just a few hours before Noonan spoke.
OCR settled with Steven Porter, a gastroenterologist from Ogden, Utah, for alleged failures to comply with the security rule, including a lack of a risk analysis. Porter agreed to pay $100,000 and implement a two-year corrective action plan (CAP).
Reflecting on 2019 enforcement cases, Noonan said the agency’s $12.2 million from 10 cases was the third-highest number of actions and the fourth highest in collections.
But Noonan said that, to him, “the enforcement program isn’t about chasing numbers. It’s not about the amount of settlement money. I’m more interested in the number of completed actions.”
Noonan added, “I think you measure the vigor and vitality of an enforcement program by the number of enforcement actions that the enforcement program completes. And we’re looking to increase that number” this year. He did not say how many actions OCR might be engaged in this year.
But he stressed that enforcement “sends an important message, to the industry…the entire spectrum…about OCR’s role as a law enforcement agency and our willingness to pursue enforcement to achieve greater compliance.”