After announcing that its HIPAA enforcement collections had reached a new high-water mark of $28.7 million in 2018, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services has started this year quietly. Through the first few months of 2019, the OCR has published no resolution agreements and it is doubtful that it has any investigation in the pipeline that will produce a settlement nearly as large as the $16 million collected from Anthem, Inc., last year on account of its massive data breach in 2014 and 2015, which affected almost 79 million people. Thus, it appears unlikely that this year’s OCR collections will match the totals from 2018, but a number of factors suggest that enforcement activity will resume and potentially expand in the future. For example:
Settlement payments may provide the government with needed revenue in a period of budgetary constraints.
OCR announced last year that it would develop a methodology for distributing a portion of the money it receives through HIPAA enforcement actions to individuals affected by a breach. The implementation of such a program (which is technically required, but long delayed) may encourage more individuals to report breaches to OCR and could motivate OCR to increase the amount it seeks in any given enforcement action.
Although there is no private right of action under HIPAA, individuals may bring lawsuits under other privacy grounds and legal theories, which nevertheless draw on HIPAA to set standards for how data should be protected.
As for settlements, there has been little recent activity on OCR’s HIPAA audit program. Phase Two of the audit program seems to have fizzled out. Although audits may be revived at some time in the future, it is more likely that OCR will dedicate its limited HIPAA resources to investigations—which can produce revenue in addition to requiring corrective actions, and sometimes spark others to undertake compliance activity—rather than audits that focus exclusively on improving compliance.
However, investigations take a long time to develop. The enforcement actions that may come to fruition this year probably originated three to five years ago, and we may not see the results of increased enforcement activity today for several more years.