Considering the Health Insurance Portability and Accountability Act (HIPAA) is now in its third decade, the Privacy Rule took effect 20 years ago, and compliance with the HIPAA Security Rule has been mandatory for 18 years, there have been relatively few financial penalties over the years, with just 130 imposed by OCR to resolve HIPAA violations. There have been changing HIPAA enforcement trends over the years and a shifting of enforcement priorities at OCR. Today, OCR is having to pick and choose the cases where financial penalties are pursued, and while more financial penalties are now being imposed, the penalty amounts are a fraction of the level that they were just a few years ago.
A Brief History of HIPAA Enforcement
The HIPAA Enforcement Rule – Final Rule was issued on February 16, 2006, and took effect on March 16, 2026. The Enforcement Rule gave the U.S. Department of Health and Human Services the authority to investigate HIPAA-regulated entities to determine whether they are in compliance with the HIPAA Rules and impose financial penalties if noncompliance is discovered. The HITECH Act, which took effect on February 18, 2009, established four categories of HIPAA violations based on the level of culpability and set minimum/maximum penalty amounts and penalty caps in each of the four penalty tiers, increasing the maximum penalty amount to $1.5 million for violations of an identical provision in a calendar year.
Then in FY 2020, the HHS reassessed the language of the HITECH Act and determined that the penalty amounts stipulated in the HITECH Act had been misinterpreted, and reduced the penalty amounts in three of the four tiers, only keeping the maximum penalty of $1.5 million for the most serious violations when there is determined to have been willful neglect of the HIPAA Rules with no attempt to correct violations.
Since the effective date of the HIPAA Enforcement Rule (up to and including February 2023), the HHS’ Office for Civil Rights has imposed 130 penalties for HIPAA violations, including violations of a single provision of the HIPAA Privacy Rule such as the failure to provide individuals with timely access to their medical records to egregious violations and widespread noncompliance with the HIPAA Rules. The penalties imposed so far range from $3,500 to $16,000,000.
Financial Penalties for HIPAA Violations are Relatively Rare
While OCR has the authority to impose financial penalties for HIPAA violations, the vast majority of investigations have not resulted in financial penalties. OCR investigates all large data breaches of 500 or more records and more than 5,000 such breaches have been reported since 2009, yet only 130 financial penalties have been imposed. OCR has stated that in the majority of cases, HIPAA violations are resolved through voluntary compliance and technical assistance, where OCR helps regulated entities address the violation to avoid further compliance issues.
In a February 28, 2023, update on its HIPAA enforcement actions, OCR explained that it has received more than 322,579 complaints about potential HIPAA violations. 14,355 cases were investigated and no violation was identified, and OCR failed to establish a case for enforcement in 215,125 cases. Technical assistance was provided in 53,661 cases.
From those cases, OCR has initiated more than 1,160 compliance reviews and said 97% of all cases have been successfully resolved. More than 30,013 cases have required changes to be made to privacy practices or corrective actions to be implemented by HIPAA-covered entities and business associates. The 130 cases that warranted financial penalties have resulted in $134,828,772 being paid to OCR in civil monetary penalties and settlements.
HIPAA Audits Identified Widespread Noncompliance
In addition to the investigations of complaints and data breaches, OCR has conducted two phases of HIPAA audits. These audits were not conducted from a HIPAA enforcement perspective, rather the primary goal was to identify the areas where HIPAA-regulated entities were struggling with compliance. The audits have helped OCR to develop pertinent guidance to address the most common HIPAA violations. The first round of audits identified widespread HIPAA violations as covered entities struggled to get to grips with what was required, but more than a decade after the HIPAA Privacy and Security Rules were enacted, noncompliance was still common.
In the second round of compliance audits, the most common violations identified were related to Notices of Privacy Practices, a lack of information in breach notifications, HIPAA Right of Access failures, business associate breach notifications to covered entities, and risk analysis and risk management failures, with the latter common with covered entities and business associates.
According to OCR, the same areas of noncompliance are identified frequently in its investigations, along with impermissible uses and disclosures of protected health information, a lack of safeguards for protected health information, a lack of patient access to their protected health information, a lack of administrative safeguards for electronic protected health information, and the use or disclosure of more than the minimum necessary protected health information.
HIPAA Enforcement Trends
In the early years after the HIPAA Enforcement Rule was enacted, OCR showed a reluctance to resort to financial penalties for HIPAA violations, typically only pursuing financial penalties in the most egregious cases when widespread noncompliance was identified and for the most serious compliance failures. In the 29 enforcement actions from 2008 to 2015, 9 penalties were imposed for risk analysis/risk management failures, 9 for the failure to safeguard PHI, 6 for widespread non-compliance with the HIPAA Rules, and one each for denying access to medical records, disclosing PHI without consent, the failure to encrypt PHI, improper disposal of PHI, and the failure to permanently erase PHI.
There was an uptick in HIPAA penalties in 2016, 10 years after the Enforcement Rule was published. Since then, the enforcement actions have addressed a much broader range of HIPAA violations. Risk analysis and risk management failures are still one of the most common HIPAA failures cited in its enforcement actions, along with other HIPAA Security Rule violations and impermissible disclosures of PHI.
In the fall of 2019, OCR launched a new enforcement initiative launched targeting organizations that were not compliant with the HIPAA Right of Access, with the penalties arising from complaints rather than data breaches. Since then, 65 penalties have been imposed to resolve HIPAA violations, 43 of which have been for HIPAA Right of Access violations. The main reason for this HIPAA enforcement trend has been a massive increase in OCR’s workload and extremely limited resources for HIPAA investigations.
Lack of Funding Hampering HIPAA Enforcement
OCR has been struggling with a lack of funding for several years as its budget has remained flat despite a significant increase in its workload. OCR has made multiple requests to Congress for additional funds, but those requests have been denied. Since fiscal year 2017, complaints about potential HIPAA violations have increased by 28% and reports of large data breaches – more than 500 records – have increased by 100%. All complaints must be assessed and when the allegations are substantiated, the violations must be investigated. OCR also investigates all large healthcare data breaches to determine if they are the result of non-compliance with the HIPAA Rules. As such, OCR’s limited budget and resources have been squeezed and that is limiting the ability of OCR to enforce compliance. OCR also has an increasing workload in other areas – OCR enforces 55 statutory authorities including civil rights and non-discrimination statutes in addition to HIPAA and for several years the small HHS department has not been given adequate resources to do its job.
To help address the budgetary shortfall, the HHS has undertaken a restructuring of OCR which has seen the creation of three new divisions to get more from its limited budget and resources, including a new enforcement division. The HHS hopes the restructuring will improve efficiency, which will help OCR deal with its increased caseload and reduce its backlog of investigations. It is worth noting that OCR’s enforcement staff has been reduced by 45% due to flat budgets and inflation increases, so while the restructuring will help, restructuring alone is unlikely to solve the problem.
OCR could use funds from its enforcement actions to address the budgetary shortfall; however, civil monetary collections have declined since 2019, despite an increase in enforcement actions. This is due to the reinterpretation of the language of the HITECH Act and the reduction in minimum and maximum penalty amounts and the annual penalty caps. In 2019, OCR raised almost $23 million in fines and settlements, but following the reassessment, the total fell to just over $2 million in 2022, even though a new record was set that year for the number of financial penalties imposed. The number of penalties has increased, but there has been a notable shift from imposing penalties on large HIPAA-covered entities for egregious violations of the HIPAA Rules to enforcement actions against small healthcare providers for HIPAA Right of Access violations.
This year, the HHS requested an additional $78 million in funding for FY 2024, which almost doubles its FY 2023 budget, with a requested increase of $38 million from the $40 million received in 2023. OCR Director, Melanie Fontes Rainer, said OCR now has to pick and choose its battles carefully, as it is forced to operate under incredible resource constraints and its staff is incredibly overworked. Data from 2020 indicates OCR has just 77 investigators, and they are not all investigating HIPAA violations. Some are investigating violations of other statutes such as anti-discrimination and civil rights violations. For FY 2023, the HHS requested a 58% increase to its budget to $60 million, which would have allowed OCR to hire a further 37 investigators. The HHS was unable to get a budget increase when Democrats had a majority in the House and Senate, so it seems even more unlikely now.
This year, in addition to the sizeable budget increase, OCR has submitted a proposal to get the authority to work with the Department of Justice and seek injunctive relief, which will improve OCR’s ability to prevent additional or future harm to individuals from non-compliance. OCR is also seeking help from Congress to increase the caps for financial penalties for HIPAA violations to provide additional funding for its enforcement activities.
The Future of HIPAA Enforcement
OCR is continuing with its enforcement initiative targeting HIPAA Right of Access violations and has already announced one settlement this year due to untimely breach notifications. These enforcement actions are relatively cut and dry. A patient complains that they have not been provided with their records, can provide proof that the request has been sent, and the healthcare provider must provide proof that the requested records have been provided and evidence of staff training. It is difficult for covered entities to contest the findings when records have not been provided in a set time frame, so legal disputes are unlikely, especially considering the penalties imposed are relatively small. These enforcement actions are therefore a good use of OCR’s limited resources.
What is needed, however, is investigations of hacking incidents, which are behind the massive increase in large data breaches. OCr needs additional funding for these investigations to determine if they have been caused by noncompliance with the HIPAA Security Rule. These investigations are, however, much more complex, time-consuming, and resource-intensive. OCR faces a potential problem. The approach taken in the past in its enforcement actions has been called into question when the $4.3 million penalty for University of Texas MD Anderson Cancer Center was overturned on appeal.
OCR’s enforcement actions were deemed to be “‘arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law,” and the penalty was reduced by a factor of 10. That case could embolden other HIPAA-regulated entities to challenge penalties, further draining OCR’s resources and its ability to enforce HIPAA. While it is unclear exactly how much impact the overturning of the MD Anderson Cancer Center penalty has had, OCR has only fined four entities for Security Rule failures related to data breaches since that decision out of 37 enforcement actions – Excellus Health Plan, AEON Clinical Laboratories (Peachstate), Oklahoma State University – Center for Health Sciences (OSU-CHS), and Banner Health.
OCR also needs to start sharing a percentage of the settlements and civil monetary penalties it collects with victims of HIPAA violations, which is likely to reduce the funds OCR can use from those enforcement actions further still. Without an increase in its budget – which appears likely – the future of HIPAA enforcement is likely to depend in a large part on an increase to the penalty caps and improvements to efficiency from its restructuring.
A reduction in data breaches would certainly help ease OCR’s caseload, but with a relative lack of enforcement of noncompliance and extensive targeting of the healthcare industry by malicious actors, that seems somewhat unlikely. OCR is now considering the recognized security practices that have been implemented when making determinations about fines and penalties which could encourage healthcare organizations to improve security, but for many smaller healthcare organizations, budgets are already limited and there is a global shortage of skilled cybersecurity professionals. Regulatory moves by the government could help to address this by providing incentives for healthcare organizations to make further investments in security and to deal with the staff shortage by introducing incentives for cybersecurity professionals to take on roles in healthcare.
The HHS has also increased the guidance issued to help healthcare organizations improve their defenses. The Health Sector Cybersecurity Coordination Center (HC3) is now issuing more threat advisories specific to the healthcare sector along with recommendations and resources to help healthcare organizations improve their defenses by focusing their efforts on the most pertinent threats. That help has been welcomed, and while more healthcare-specific threat intelligence would be of great help to the sector, HC3 also has considerable budget constraints and also requires additional funding to increase its output.
Steve Alder, Editor-in-Chief, HIPAA Journal
The post Editorial: HIPAA Enforcement Trends and Outlook appeared first on HIPAA Journal.