For those healthcare employers that have been resting on your laurels and viewing through rose-colored glasses your entity’s HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health) compliance efforts, the time has come to thoroughly clean your glasses and prepare for increased Office of Civil Rights (“OCR”) enforcement actions.  Speaking at the recent National HIPAA Summit, the OCR’s Director, Leon Rodriguez, announced that the OCR intends to follow the Office of Inspector General’s (“OIG”) vigilant enforcement model for HIPAA violations.  The OCR intends to focus its enforcement efforts on both “common-sense” patient confidentiality and breach violations.  In addition, the OCR continues to work on audits of covered entities.

First OCR HITECH Breach Settlement

Making history as the OCR’s first HITECH Breach Notification violation settlement, Blue Cross Blue Shield (BCBS) of Tennessee recently settled with the OCR for approximately $1.5 million.    The ground-breaking settlement illustrates the OCR’s increased focus on penalizing non-compliant healthcare entities.  Further, it indicates the OCR is effectively working the kinks out of its HITECH breach investigative process and is not afraid to levy hefty fines on those healthcare organizations deemed to be sub-par in their patient privacy and security compliance efforts.  BCBS reported around 57 hard drives containing protected health information (PHI) were stolen from a leased facility.

Fines Levied only Small Fraction of HIPAA Violation Cost

BCBS reportedly spent about $18.5 million on its investigation of the reported HIPAA violations.  Besides the obvious costs of managing its response to the government’s investigation, this hefty price tag included paying for the following:

  • informing patients of their patient information leak;
  • hiring a data recovery specialist to analyze the extent of the breach;
  • review and improvement of the organization’s overall HIPAA compliance; and
  • approximately 500 BCBS employees to assist with the investigation.

Phoenix Physician Group Targeted Through Settlement

 In addition, last month, Cardiac Phoenix Surgery reached a $100,000 settlement with the OCR for failure to properly safeguard its patient information.   The investigation began with a claim that the group posted appointments for its patients on a publicly accessible calendar.  Through its extensive investigation, the OCR discovered the physician group’s general failure to safeguard its PHI through limited policies and other safeguards.

Many physicians and physician groups have long believed they are immune from government scrutiny for general compliance enforcement, including patient confidentiality.   However, the recent settlements should cause physicians and their groups, along with other healthcare entities, to embrace the applicable regulatory requirements to better safeguard protected health information before it is too late.

What Employers Need to Know to Avoid Becoming HIPAA Violation Targets

Both the OCR’s recent enforcement announcement and its settlements serve as wake-up calls to healthcare employers to avoid complacency with their patient privacy and security compliance efforts. Increased government scrutiny is certainly here to stay.  To avoid becoming a target on the OCR’s investigative radar, healthcare facilities and companies should adopt the following objectives:

  • routinely assess their privacy and security policies to evaluate whether there is adequate protection of its PHI under the letter of both state and federal laws and regulations;
  • annual training of staff and other healthcare providers on these requirements; and
  • perform routine risk assessments to identify any potential holes in its HIPAA-related compliance.

By adopting these focused compliance efforts, a healthcare entity may not necessarily escape the OCR’s probing gaze, but will certainly reduce the possibility that a violation will be found, as well as lessen the monetary damage if non-compliance is detected.


Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.