Recent OCR HIPAA Enforcement Actions and Request for Information on HITECH Implementation

Enforcement Actions

In its first announcement of enforcement actions in 2022, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) simultaneously announced the resolution of three investigations and one matter before an administrative law judge related to potential violations of the regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Two of these actions continued OCR’s emphasis from the past two and a half years on its Right of Access Initiative (bringing the total of such actions to 27 since the initiative began), and the remaining two continued OCR’s longstanding emphasis on avoiding impermissible disclosures of protected health information (“PHI”).

As has been notable from several other of the Right of Access Initiative resolutions, the two recently announced were with small providers (one with a solo practitioner) and related to failure to provide records for a single patient. All covered entities should review their policies related to providing access to patients to their own information and ensure that staff and pertinent business associates are trained on the same.

The third settlement was based on an impermissible disclosure of patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign. One notable reminder from this resolution is that uses of PHI (as well as disclosures) are regulated by HIPAA, and even minimal clinical information (such as identification of an individual as a “patient” of a particular provider) can constitute PHI.

The final enforcement action was the imposition of a civil money penalty (“CMP”) and was based on the impermissible disclosure of a patient’s PHI on a webpage in response to a negative online review. The action serves as a reminder that patients do not waive their rights under HIPAA even when posting information about their care publicly. All covered entities and business associates should review their policies and training around use of social media and other online platforms.

Request for Information

Finally, OCR recently released a Request for Information related to implementation of certain provisions of the HITECH Act. Specifically, OCR is seeking input on:

1. the consideration of recognized security practices of covered entities and business associates when OCR makes determinations regarding fines, audits, and remedies to resolve potential violations of the HIPAA Security Rule; and
2. the distribution to harmed individuals of a percentage of CMPs or monetary settlements collected pursuant to the HITECH Act, which requires HHS (Secretary) to establish a methodology under which an individual who is harmed by an act that constitutes an offense under certain provisions of the HITECH Act or the Social Security Act relating to privacy or security may receive a percentage of any CMP or monetary settlement collected by OCR with respect to such offense.

Comments are due on or before June 6, 2022.

For more information, please contact Madison Pool.