December 3, 2024

HIPAA Tidings: A Look at OCR's Recent Enforcement Actions

Holland & Knight Alert
Beth Neal Pitman | Shannon Britton Hartsfield | Julia Hesse

Highlights

  • December typically ushers in a final round of enforcement actions by the U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR), and 2024 is no exception.
  • This Holland & Knight alert considers several points for a year-end review of Health Insurance Portability and Accountability Act (HIPAA) compliance.

In addition to holiday celebrations, the month of December typically ushers in a final round of enforcement actions by the U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR), and 2024 is no exception. OCR announced on Dec. 2 its settlement with the Holy Redeemer Family Medicine of alleged Health Insurance Portability and Accountability Act (HIPAA) violations arising from impermissible disclosure to an employer of protected health information (PHI), specifically reproductive healthcare information (RHI). OCR Director Melanie Fontes Rainer pointed out that "Patients must be able to trust that sensitive, health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need. This is particularly true for reproductive health privacy." In its press release, OCR reminds the healthcare industry of its commitment to ensure the privacy of PHI related to lawful reproductive healthcare and refers HIPAA-regulated entities to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This recent enforcement action raises several points for a year-end review of HIPAA compliance.

Privacy Is Bipartisan

Though some may be tempted to disregard the RHI privacy requirements since political winds may have changed – particularly in light of the pending challenge by the Texas Attorney General –  covered entities and business associates should remember that data privacy and security, as a whole, is not a partisan issue. HIPAA was originally known as the Kassebaum-Kennedy Act, named after two of the Act's leading sponsors, former Sens. Nancy Kassebaum (R-Kan.) and Ted Kennedy (D-Mass.). It was signed into law by President Bill Clinton, and initial final privacy rules were published under his administration, but the HIPAA Security Rule became finalized in 2003 during the George W. Bush Administration. In April 2024, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash.) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-Wash.) announced draft bipartisan privacy legislation known as the American Privacy Rights Act. In light of the long history of bipartisan support for the idea that personal data should remain private and secure, it seems that at least some aspects of HIPAA will continue to be an important compliance focus for the foreseeable future.

Don't Delay Reproductive Health Information Privacy Compliance Updates       

Compliance with the HIPAA RHI Rule is required by Dec. 23, 2024. There is still time to implement the amendments, and healthcare providers should consider the following compliance recommendations:

  • Identify locations of RHI in PHI, including billing and other administrative records.
    • The pervasive and unsegmented nature of RHI within the health records of patients extends the applicability of the RHI Rule to nearly all healthcare providers, health payers, pharmacies and other HIPAA-regulated organizations, including business associates.
    • Discuss potential assistance that health information technology vendors can provide to tag or otherwise flag this type of information.
  • Consider why RHI is collected and maintained, and consider the minimum retention period for such information.
  • Review and update HIPAA business associate agreements to require that business associates implement processes for compliance with the RHI Rule.
  • Adopt and update existing policies and procedures that are impacted by the RHI Rule such as HIPAA definitions, permitted disclosures, Required by Law disclosures and disclosures pursuant to subpoenas and implement an attestation policy and form.
  • Train health information management personnel and others responsible for responding to requests for information, including processes for ensuring that attestations are obtained when required.
  • Update the Information Blocking policies and documentation to specifically address the delay in exchange of electronic health information (EHI) likely when RHI is involved.

OIG Encourages Enhanced OCR Enforcement

OCR recently came under fire from the HHS Office of Inspector General (OIG) for weaknesses in certain auditing and HIPAA enforcement efforts. OCR's response to the Nov. 24, 2024, report of the OIG foretells increased OCR enforcement activity in response to a significant increase in cyberattacks and a return of HIPAA audits focusing on compliance with Security Rule safeguards – "with appropriate funding." In response to the OIG audit, OCR agreed to four of the five recommendations. However, based on OCR's "financial and staffing limitations," the "surge in volume of complaints" and "HIPAA large breaches," along with the voluntary nature of HIPAA audits, OCR declined to commit to OIG's recommendation to impose penalties when audits confirm HIPAA violations. OCR's position is that civil money penalties do not necessarily result in corrective action, and HIPAA-regulated entities are not required to enter into a resolution and corrective action plan. Authority to seek injunctive relief and work in coordination with the U.S. Department of Justice (DOJ) to pursue remedies that ensure correction of deficiencies is OCR's preferred path. That path, however, is not authorized by HIPAA and will require legislative action to amend the statute.

OCR Is Focusing on Its Security Risk Analysis Initiative

Enforcement of ransomware security incidents has dominated the breach enforcement actions and resolution agreements issued in 2024, with failure to conduct a compliant risk analysis as the overarching theme. Establishing initiatives is not a new concept for OCR and, if the enforcement trend and activity around the patient right-of-access initiative is any predictive indicator, there will likely be more frequent settlement or imposition of civil money penalties for failures to comply with the security risk analysis and management standards, 45 C.F.R. § 164.308(a)(1)(ii)(A). OCR made clear during its October cybersecurity conference with the National Institute of Standards and Technology (NIST) that it will seek out opportunities to educate HIPAA-regulated entities regarding compliant processes for performing security risk analyses. OCR does not consider a checklist or cookie-cutter form of assessment as compliant and noted during the conference that its own security risk assessment template is just a starting point and alone is not sufficient. Now is the time to review and update these processes to help ensure that comprehensive and compliant assessments are completed and the results are promptly and appropriately addressed.

Additional updates from OCR are expected throughout December through the anticipated release of proposed security rule amendments and additional enforcement activity.


Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.


Related Insights