OCR HIPAA enforcement in 2020 was focused on HIPAA right of access violations with 11 fines issued in 2020 citing this type of violation. Although right of access fines will likely continue, the OCR is bound to shift its focus in the year to come. OCR HIPAA enforcement in 2021 is discussed to provide healthcare organizations with guidance on what may be to come.
OCR HIPAA Enforcement in 2021: You Don’t Need a Weatherman…

The fact that the OCR right of access initiative enforcement promise was kept provides insight as to where OCR may be headed next. The 2013 HITECH Act requires HHS to periodically audit covered entities and business associates for their compliance with the HIPAA Rules – the Privacy Rule, the Security Rule, and the Breach Notification Rule. Acting under this requirement, OCR’s 2016-2017 audits (the “Phase 2” audit) examined 166 covered entities and 41 business associates.
In December of 2020, OCR issued its long-awaited 2016-2017 HIPAA Audits Industry Report, which contains the findings of the 2016 and 2017 audits. OCR has summarized the audit results. The good news:
- Most covered entities met the timeliness requirements for providing breach notification to individuals.
- Most covered entities that maintained a website about their customer services or benefits to satisfy the requirement to prominently post their Notice of Privacy Practices on their website.
The bad news:
- (Unsurprisingly,) Most covered entities failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee.
- Most covered entities failed to provide all of the required content for a Notice of Privacy Practices.
- Most covered entities failed to provide all of the required content for breach notification to individuals.
The Security Rule bad news:
- Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.
For audits, the past is prologue. Violations found in an audit result in greater enforcement activity in the years to come to curb those violations. It is therefore likely that OCR HIPAA enforcement in 2021 will be investigating organizations for Notices of Privacy Practices and breach notification violations.
OCR will also be on the lookout for violations of the Security Rule requirements for risk analysis and risk management, as well as the requirements to track and inventory network devices. The remaining six entities fined in 2019 are keenly aware of this; each one received a hefty monetary fine for not meeting these requirements.