OCR Awoke from its HIPAA Enforcement Slumber Last Week

If you asked me Friday morning of last week to give you my impression of HIPAA enforcement so far in 2022, I would have said “slow.”  Up to that point, OCR had announced only four enforcement actions and all on the same day in March (see Three Dentists and a Psychiatrist Walk into a Bar:  Four HIPAA Enforcement Actions that are No Joke).  That was nearly four months ago.

In a matter of two days, things went from “slow” to more enforcement action resolutions than in the previous year and its only July.  On Thursday, July 14, 2022, OCR announced a settlement with Oklahoma State University (OSU) for $875,000 stemming from a hacking incident.  OCR claims that OSU failed to comply with many HIPAA requirements, including security requirements, which likely was the greatest contributor to the six-figure settlement.

Then, on Friday afternoon (these things always happen on a Friday afternoon), OCR announced 11 (that’s not a typo) Right of Access enforcement actions at one time.  The concept of announcing multiple enforcement actions at the same time is not new.  OCR did it earlier this year.  And, in both 2020 and 2021, OCR announced five Right of Access resolutions on the same day.  But 11 is a new record.  So is twelve in one week.

Penalties and settlements for these 11 matters ranged from $3,500 to $240,000 and totaled $646,000. They also include one civil monetary penalty.  The story with these is the same as all the others: failing to properly respond to patients’ requests for records.

Right of Access remains a hot enforcement topic, even though compliance can be simple.  We created a Right of Access video series made up of six short (3-5 minute) videos on the various components of Right of Access.  It’s available on Vimeo.  No charge, no need to register or other strings attached.  Just a good resource to help address the single most enforced aspect of HIPAA over the past few years.

For those of you keeping score, there have been 16 HIPAA enforcement action resolutions so far in 2022 (13 of which are Right of Access) with total penalties and settlements just under $1.7 million.