Roger Severino, the director of the Office for Civil Rights at the Department of Health and Human Services who oversees HIPAA enforcement, recently commented that there is an abundance of “low-hanging fruit” of HIPAA noncompliance. Specifically, he noted that covered entities are failing to complete comprehensive risk analyses or properly train employees on privacy requirements. He also observed that entities are ignoring their duty to report any breaches to the OCR and are instead opting to sweep those breaches under the rug.
Mr. Severino further remarked that he expects that enforcement will be substantial in 2020, which remains consistent with 2019’s large number of enforcement actions. While Mr. Severino’s statements give some clue into what may be on the menu for enforcement in 2020, he further warned that his office intends to look for a broad range of violations in order to emphasize that all aspects of HIPAA are important and require compliance.
Smaller organizations can take some solace in Mr. Severino’s confirmation that OCR will take into account the size and financial condition of the entity when assessing HIPAA noncompliance penalties. However, there are suggestions that the office is shying away from enforcing big-dollar penalties and is instead moving towards pursuing a larger quantity of lower-dollar matters, so all covered entities are at risk of OCR enforcement if they do not take HIPAA compliance seriously.