According to an article posted in the National Law Review, the Health and Human Services Office for Civil Rights recorded close to $15 million in compliance related settlement payments through July of this year. The report notes that these settlements demonstrate OCR’s more aggressive posture in enforcing HIPAA regulations.
The basis for the settlements addressed in the involved consent agreements varied from stolen laptops that were unencrypted despite the findings of multiple risk assessments by the entity determining that this posed a critical risk to incomplete risk analysis, and failure to take timely action on findings. A failure to obtain business associate agreements with business associates who had the need to access PHI was also the basis for one consent agreement.
OCR is making it very clear that it is serious about its enforcement role.