OCR enforcement: Lessons Learned and Preparing for What’s Ahead

On May 20, 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued two annual reports to Congress, summarizing its oversight and enforcement activities during calendar years 2011 and 2012 with respect to: (1) breaches of unsecured protected health information (PHI);¹ and (2) HIPAA Privacy, Security and Breach Notification Rule compliance.²  The reports, which are required under the Health Information Technology for Economic and Clinical Health (HITECH) Act, provide useful information regarding trends in breaches, HIPAA compliance risk areas, and OCR enforcement activities.  This article will highlight key takeaways from each of the reports, discuss the current and future enforcement landscape, and provide recommendations for ensuring compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

1. Department of Health and Human Services Office for Civil Rights. Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Years 2011 and 2012, May 20, 2014. Available at: http://1.usa.gov/1v799Ji
2. Department of Health and Human Services Office for Civil Rights. Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012. May 20, 2014. Available at: http://1.usa.gov/1sJmAZv