October 19, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

October 17, 2019

Subscribe to Latest Legal News and Analysis

October 16, 2019

Subscribe to Latest Legal News and Analysis

HIPAA Enforcement Outlook for 2019 and Beyond

After announcing that its HIPAA enforcement collections had reached a new high-water mark of $28.7 million in 2018, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services has started this year quietly. Through the first few months of 2019, the OCR has published no resolution agreements and it is doubtful that it has any investigation in the pipeline that will produce a settlement nearly as large as the $16 million collected from Anthem, Inc., last year on account of its massive data breach in 2014 and 2015, which affected almost 79 million people. Thus, it appears unlikely that this year’s OCR collections will match the totals from 2018, but a number of factors suggest that enforcement activity will resume and potentially expand in the future. For example:

  • Settlement payments may provide the government with needed revenue in a period of budgetary constraints.

  • OCR announced last year that it would develop a methodology for distributing a portion of the money it receives through HIPAA enforcement actions to individuals affected by a breach. The implementation of such a program (which is technically required, but long delayed) may encourage more individuals to report breaches to OCR and could motivate OCR to increase the amount it seeks in any given enforcement action.

  • Although there is no private right of action under HIPAA, individuals may bring lawsuits under other privacy grounds and legal theories, which nevertheless draw on HIPAA to set standards for how data should be protected.

As for settlements, there has been little recent activity on OCR’s HIPAA audit program. Phase Two of the audit program seems to have fizzled out. Although audits may be revived at some time in the future, it is more likely that OCR will dedicate its limited HIPAA resources to investigations—which can produce revenue in addition to requiring corrective actions, and sometimes spark others to undertake compliance activity—rather than audits that focus exclusively on improving compliance.

However, investigations take a long time to develop. The enforcement actions that may come to fruition this year probably originated three to five years ago, and we may not see the results of increased enforcement activity today for several more years.

Copyright © by Ballard Spahr LLP


About this Author

Edward I. Leeds, Philadelphia attorney, Ballard Spahr Law firm, Employee Benefits and Executive Compensationattorney

Edward I. Leeds concentrates on issues relating to the design, administration, and taxation of health and other welfare benefit plans. His practice has evolved with the laws and market forces that shape those plans. Mr. Leeds advises clients about compliance with the Affordable Care Act, HIPAA, HITECH, COBRA, cafeteria plan rules, and other legal requirements. He prepares clients for audits of their privacy and security measures under HIPAA and advises them about the rules governing wellness initiatives.

Mr. Leeds represents employers in the negotiation and drafting of contracts...