Skip to main content
A Better Partnership


Nov 2011
November 11, 2011

HIPAA Update: New Regulations in the Works as HHS Ramps Up Enforcement

Enforcement Activity

The Office for Civil Rights (OCR) – the agency within the Department of Health & Human Services (HHS) that enforces the HIPAA privacy and security rules – has been ramping up its enforcement activities. Historically, OCR pursued an informal enforcement strategy. While it would investigate every complaint that it received, it would seek voluntary, confidential compliance agreements from those who violated the law, generally without any financial penalties. In fact, from 2003 through January 2009, OCR only resolved two cases with financial settlements.

In amending HIPAA, however, Congress sent a message to OCR that it has not been tough enough in enforcing HIPAA. The HITECH amendments require OCR to proactively conduct compliance audits and dramatically increase the maximum penalties for HIPAA violations from a maximum of $25,000 per violation per year to a maximum of $1.5 million per violation per year. HITECH now also allows OCR to keep monetary settlements and penalties to help fund its enforcement activities. OCR has responded by creating a new, high-level office for HIPAA enforcement and has become more aggressive in seeking monetary penalties. Beginning in July 2010, OCR’s enforcement activities have included the following:
  • $4.3 million penalty against a medical clinic that ignored numerous requests from patients seeking to exercise their individual rights of access to their medical records;
  • $1 million financial settlement with a hospital following the loss of patient records by an employee on the subway, after OCR determined that the hospital did not have policies and procedures governing removal of records from the hospital’s premises;
  • $865,500 financial settlement with a medical school hospital relating to improper access of patient records by nosy employees;
  • $35,000 financial settlement with a healthcare company that used patient information for improper marketing purposes; and
  • $1 million financial settlement with a pharmacy chain for improper disposal of patient information (for violations occurring before HITECH’s new enforcement scheme applied.)

To make sure that the word gets out when OCR resolves a case with a financial settlement, it issues press releases and detailed allegations of the HIPAA violations involved. Where OCR seemed reluctant in the past to publicize its enforcement activities, it now seems eager to make high-profile examples of organizations that have not adequately implemented HIPAA. The stakes have never been higher for organizations with incomplete or outdated HIPAA policies and procedures.

New Regulations

Since Congress passed the HITECH amendments to HIPAA back in 2009, HHS has been working on updating its HIPAA privacy and security rule regulations. Progress has been interrupted by health care reform, but HHS officials have stated that their goal is to get new HIPAA regulations out by the end of the year. If they succeed, these revised regulations will go into effect in the middle of 2012. Some of these revised regulations will impact employers who sponsor group health plans, such as new requirements for business associate agreements, revisions to the Notice of Privacy Practices and possibly some changes to breach notification procedures. Once the new rules come out, employers will likely have six months to implement changes to policies and procedures and an extra year to amend business associate agreements.

If revised HIPAA regulations come out by year end, employers who sponsor self-insured health plans should plan to take the time in the Spring of 2012 to review their HIPAA policies and procedures, business associate agreements and other related documents to determine whether they need to be updated. As part of this review, consider whether company policies contain any gaps or outdated practices that are no longer followed. Also consider whether the policies:
  • set conditions on how and when an employee can take health information from the office;
  • establish parameters on access of health information from smartphones, tablets and other portable and easily lost devices; or
  • place restrictions on use of health information with public cloud computing services.

Timely review may prevent a HIPAA nightmare if OCR ever comes to investigate an incident.

If you need assistance with HIPAA compliance, Warner’s Employee Benefits Practice Group can help. We have extensive experience with HIPAA compliance issues and can assist you in updating your HIPAA policies and procedures.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -