Knowledge and Insights

HIPAA Enforcement Reaches Record Levels

It is a well-publicized fact that HIPAA enforcement has been on the rise in recent years.  The Office for Civil Rights (OCR) has now released its annual report, which confirmed that 2018 was a record year for HIPAA enforcement activities. The OCR settled ten (10) cases in 2018, with fines and penalties totaling nearly $29 million and individual settlements ranging from $100,000 to $16 million.

The report underscored the fact that entities subject to HIPAA continue to disregard basic requirements.  As in previous HIPAA settlements, the OCR sanctioned entities last year for violations that included failure to implement physical safeguards to shield protected health information (PHI); theft of an unencrypted laptop and the loss of thumb drives containing unencrypted data; failure to perform a risk analysis; failure to terminate the remote access of a workforce member following separation of employment; and numerous instances of failure to maintain business associate agreements. Other instances of blatant disregard of rudimentary HIPAA requirements included a medical provider discussing a patient’s case with a television reporter without obtaining the patient’s consent and a hospital enabling film crews to film a documentary on premises without obtaining patient authorization.

2018 brought the largest-ever settlement against an entity subject to HIPAA when the OCR resolved a matter against Anthem, Inc., a business associate, for $16 million. That settlement followed Anthem’s report of a breach and a subsequent compliance review by the OCR, which uncovered failures to conduct an accurate and thorough risk analysis and to adhere to various other HIPAA Security Rule requirements.   In addition to the significant settlement, Anthem agreed to a rigorous corrective action plan with the OCR.

In addition to these noteworthy settlements, the OCR prevailed in an administrative litigation filed against the University of Texas MD Anderson Cancer Center (MD Anderson). An administrative law judge ordered MD Anderson to pay $4.3 million in civil monetary penalties for failing to adopt an enterprise-wide solution to encrypt electronic devices containing PHI.

The OCR annual report again highlights to need to be proactive – rather than reactive – in your HIPAA compliance efforts. Schenck Price can assist in creating a culture of HIPAA compliance in your organization.

For more information, contact Deborah A. Cmielewski, Esq. at or 973-540-7327.