HIPAA compliance must address organization oversight
HHS is giving HIPAA enforcement efforts more teeth with fees and Corrective Action Plans
Approximately five years after the promulgation of the final privacy and security regulations under HIPAA, and two and a half years after the promulgation of a final rule addressing the implementation of civil money penalties, the first-ever monetary settlement paid, and Resolution Agreement/CAP, to resolve a potential violation of the HIPAA privacy and security standards was entered into between Department of Health and Human Services, Office of Civil Rights (OCR) and the Centers for Medicare and Medicaid (CMS) and Providence Health and Services, Providence Health System, and Providence Hospice and Home Care.
Providence agreed, without any admission of liability, to pay the government $100,000 and implement a comprehensive, three-year Corrective Action Plan (CAP). OCR and CMS had launched their investigation after Providence notified the state of Oregon, and affected patients, of the data breach, some of whom then filed complaints with the federal government.
This settlement appears to be a part of a trend of increased complaints of violations and enforcement by the OCR. Also, in March 2007, the OIG began auditing covered entities' compliance with the privacy and security regulations as well as OCR regulators being granted the authority to issue subpoenas in its civil privacy investigations without having to first seek the approval of the HHS Secretary. The enforcement trend and the settlement sends a signal to the industry of the need to elevate privacy and security as a focus area of compliance.
Now that HHS likely believes that covered entities have had sufficient time (approximately five years) to come into compliance with HIPAA privacy and security rules, HHS may be concluding that the time has come to add some "teeth" to its enforcement.
As such, the action taken against Providence is probably not an isolated measure, and is more likely the harbinger of a more aggressive approach to enforcement.
This column is written for informational purposes only and should not be construed as legal advice.
John Eriksen is a senior associate at Epstein, Becker and Green, P.C. in its Health Care and Life Sciences practice group and focuses primarily on health regulatory, compliance, managed care and transactional matters.
Conversations With Perry and Friends: Paul Fronstin, Ph.D.
May 9th 2025Perry Cohen, Pharm.D., a longtime member of the Managed Healthcare Executive editorial advisory board, is host of the Conversations with Perry and Friends podcast. In this episode, his guest is Paul Fronstin, Ph.D., director of health benefits research at the Employee Benefit Research Institute.
Listen
Conversations With Perry and Friends
April 14th 2025Perry Cohen, Pharm.D., a longtime member of the Managed Healthcare Executive editorial advisory board, is host of the Conversations with Perry and Friends podcast. His guest this episode is John Baackes, the former CEO of L.A. Care Health Plan.
Listen
Lenacapavir HIV PrEP: Not an AIDS Vaccine, but Vaccine Adjacent
June 19th 2025Experts and advocates say that twice-a-year HIV PrEP injections have the prevention potential of a vaccine — and that a once-a-year version of lenacapavir would be even better. But will Yeztugo be available to the people who would benefit most from HIV PrEP?
Read More
