In October 2018, The Health and Human Services Office for Civil Rights (OCR) shared that future health-care privacy and security audits will shift from an educational focus to an enforcement focus. In February 2019, OCR announced that 2018 was a record setting year for HIPAA penalties, during which OCR settled 10 cases and was granted summary judgment in a case before an Administrative Law Judge, together totaling $28.7 million from enforcement actions—a 22% increase from the year before. Enforcement in 2019 hasn’t slowed, with the most recent settlement and Corrective Action Plan with Touchstone Medical Imaging (a Business Associate) for $3M in May.


For the past several years, OCR has stated that its active audits were being conducted to identify HIPAA violations with the intent to educate providers on patient privacy and HIPAA. Now the priority is enforcement rather than education, and Covered Entities and Business Associates should take heed. Instead of relying on complaints and self-reported breach notifications, OCR plans to be more proactive in identifying problem providers. For instance, OCR might identify and choose to enforce a Business Associate’s violations during the course of an unrelated Covered Entity investigation.

Investigators may use the following tools to hold those not in compliance accountable:

  1. Subpoenas

  2. Legal actions

  3. Pay affected victims

  4. Apply a corrective plan

  5. Statutory penalties

It is extremely important that all health care provider entities have a HIPAA compliance plan actively in use. (We can help!)

Penalties can range from $100-$50,000 per violation and capped at $1.5 million annually for uncorrected willful neglect (OCR recently lowered maximum penalties for other three penalty tiers) . Increased enforcement most likely means an increased risk of penalty for a broader scope of Covered Entities and Business Associates and a higher total penalty amount in total for OCR, which we began to see in 2018 audits published by OCR.

Step one in planning for potential enforcement-focused audits is to review the OCR’s audit protocol which lays out the requirements and describes what OCR investigators will be looking for as evidence of compliance.

A security risk analysis (SRA) is critical to those hoping to pass these enforcement audits and avoid penalties. Any risks found need to have a written remediation plan. From the OCR preliminary audit findings released in January, it’s clear most providers and health plans are not in full compliance with HIPAA requirements. Nixon Law Group specializes in privacy, and we work closely with IT security professionals who specialize in healthcare compliance.

Managing your internal compliance team, processes, and protocols, and ensuring your outside partners are also compliant is critical, and without the right tools it can be cumbersome and complicated. We’ve partnered with Ostendio, which simplifies the process, enabling compliance with more than100 industry standards and regulations. Many of our clients use Ostendio’s cloud-based software to set up and manage their cybersecurity and information management programs, including compliance document management, and employee training and compliance scoring.

Contact us for assistance with your HIPAA compliance plan.