OCR Director Roger Severino said at the 2018 HIPAA NIST/ OCR conference, that it may be necessary for them to revisit the caps in HIPAA enforcement actions. When asked about the inconsistency among different federal agencies on the amounts of penalties levied for data breaches, Director Severino said that having a consistency or standard among agencies may not be easy to accomplish. On the HIPAA side, there are caps on the penalties that can be levied. He admitted that it may be necessary to take another look at these caps to ensure fairness and proportionality for judgments. If a company is so large that a multi-million dollar fine may not be a big impact for them, then the caps may actually be hindering OCR’s ability to impose an appropriate enforcement action on such a company.
The OCR Director highlighted their recent HIPAA enforcement highlights and provided some details behind those cases. Some of the cases he discussed were how one covered entity left unprotected medical records on an open truck, one entity mentioned a patient’s name on a press release, insufficient monitoring of logs to detect incidents and how film crews were allowed into a medical center without prior authorization.
$45, 360, 383 is the total amount collected by OCR in HIPAA enforcement actions from January 1, 2017 to October 15, 2018. They have exceeded $100 million in collection amounts from 2008 onwards.
When asked about the future of the desk audit program, Director Severino indicated that while they are pleased with the number of entities coming forward to report their breaches, OCR may now focus some energy on entities who have not reported their breaches in accordance with the breach notification rule. They may look into taking regulatory action against entities who do not report breaches as required.
Director Severino closed his address by saying that healthcare information is like a bar of gold. There are bad people who want access to it.