The breakdown: four HIPAA Privacy Rule impermissible disclosure cases. 17 right-of-access cases (15 settlements, 2 cases in which civil monetary penalties were imposed). One Security Rule violation case. The total amount of settlement and civil monetary penalty money collected: $2,170,140.
Trying to fashion a story or theme around this seemingly random and sleepy enforcement year seems difficult. This HIPAA 2022 review discusses potential reasons for OCR’s apparent shift in focus from security rule violations in data breach cases to right-of-access enforcement. This HIPAA 2022 review also goes over what covered entities and business associates can learn from the individual cases to prevent falling prey to fines in the future.
HIPAA Fines 2022 Review: Stop Making Sense
Attempts at a “Unified Theory of OCR Everything” have been made. One theory holds that a 2021 court case (resolved against OCR) has scared OCR off of enforcing the Security Rule. Since this January 2021 court ruling, OCR has only entered into one Resolution Agreement containing a monetary settlement for a data breach.
In the January 14, 2021 decision striking down a $4.3 million fine imposed on the University of Texas MD Anderson Cancer Center, the U.S. Court of Appeals for the Fifth Circuit did indeed issue a ruling against OCR, finding the rationale for imposing a Security Rule-related fine to be unsound. Since January 14, 2021, OCR has indeed only entered into one data breach settlement, in July of 2022.
The “the court scared OCR off” theory is only as solid as the evidence to support it, and there is little to no evidence that the court decision has actually influenced OCR’s decision as to which entities to investigate and for what reasons.
The ruling came from one of 13 federal appeals courts, and is only binding precedent on the states within that court’s jurisdiction (Mississippi, Louisiana, and Texas). The number of covered entities and business associates who have gone so far as to file a federal lawsuit, both before and after MD Anderson, in response to an unfavorable OCR decision, can be counted on two hands.
While the decision (which essentially held that a CE need only implement a mechanism for encryption; it need not actually do the encrypting, contrary to HHS’ position that entities must actually put measures they have implemented into practice) might have led OCR to enter into fewer data breach/security rule violation settlements – so might any other number of events in 2021 and 2022.
- A global pandemic
- The overruling of Roe vs. Wade
- A sudden change in OCR’s leadership (OCR has had two directors in the past year)
- OCR’s issuance of, and allowing time to comply with, of detailed guidance on what constitutes “recognized security practices”
OCR has not shared its enforcement priority reasoning with the public. Instead of guessing why things might have been, it is instructive to look forward – to focus on what OCR has said it will do.
OCR has indicated that it will continue to clamp down on providers who violate the HIPAA Privacy Rule’s right of access provision. People who want to know if they might get in trouble for a Privacy Rule violation in 2023, need only look at the 4 impermissible disclosure cases and 17 right of access cases OCR settled in 2022, or ended by imposition of a fine.