Share this e-Alert:

Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care


January 2017


Polsinelli Prepares for the Coming HIPAA Storm with Another OCR Hire







For more information about this e-Alert, please contact:


Erin Fleming Dunlap


Email | Bio


Lisa J. Acevedo


Email | Bio


To learn more about our Health Care practice, to contact one of our attorneys, or for more Health Care Intelligence, click here.


Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care Polsinelli - Health Care View Polsinelli documents on JD Supra  


LinkedIn Twitter Facebook Polsinelli Podcast

Over the past several months, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has ramped up its activity and enforcement efforts. Phase 2 audits are underway, and OCR recently announced that it sent desk audit document requests to 48 business associates (in addition to the 167 covered entities that received document requests a few months prior). We understand that, at the end of 2016, some providers who were not subject to a desk audit received notice of an on-site audit, and an OCR Senior Advisor confirmed that OCR will be conducting on-site audits of hospitals in 2017.

But, OCR is not just focused on the audit program. In August 2016, OCR announced that it was going to begin investigating breaches affecting under 500 individuals ("Under 500 Breaches"). Historically, OCR had not investigated Under 500 Breaches as a matter of course – but, as Bob Dylan once wrote, “Times They Are A Changing.” As part of this new initiative, we understand that each of OCR's regional offices has been instructed to investigate a certain number of Under 500 Breaches, and it appears those investigations have begun. Over the past month, some of our clients received data requests about Under 500 Breaches they reported in 2015, and OCR seems to be using these investigations to perform "compliance checks” – delving into HIPAA compliance areas unrelated to the areas/issues that caused or relate to the Under 500 Breaches that triggered the review. According to OCR, when determining whether to investigate Under 500 Breaches, it may consider the number of individuals affected by the breach; the amount and type of protected health information (PHI) involved; breaches caused by theft or improper disposal of PHI; hacking incidents; or entities that have filed numerous Under 500 Breaches involving the same types of issues. Thus, we believe any entity that reported Under 500 Breaches that fit or highlight these focus areas should be prepared for an OCR compliance review.

OCR enforcement is also on the rise. In 2016, we saw the largest number of OCR enforcement actions in a given calendar year. There were 12 settlements and 1 imposition of civil monetary penalties. In June 2016, we saw the first settlement with a business associate after the business associate reported the theft of a mobile device containing unencrypted PHI. In August 2016, we saw OCR’s largest settlement to date based on alleged HIPAA violations -- totaling $5.5 million. Stolen desktops, laptops and thumb drives continued to be the impetus for a number of the enforcement actions, and OCR tagged several entities with failing to enter into or update business associate agreements. This month, we also learned that OCR had settled with a large provider for failing to report a breach within 60 days of discovery.

Along with the increased government activity and enforcement, the health care industry continues to see a rise in cyber threats, including phishing and ransomware attacks -- which often result in large breaches affecting thousands (if not millions) of individuals. OCR is keeping tabs on these ever-changing risks and threats and continues to issue guidance to make sure entities subject to HIPAA are doing what is necessary to protect electronic PHI. We believe it is important (perhaps more important than ever) to know and understand this guidance -- as it will assist with HIPAA compliance efforts, breach response and risk mitigation.

Polsinelli is gearing up for this wave of increased activity and enforcement by hiring another former OCR attorney, Abby Bonjean, to join its robust Health Information Privacy and Security Team. Abby spent the last 6 years as an investigator with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) handling large breach investigations and negotiating settlements, including OCR's largest settlement to date. Abby's arrival to Polsinelli could not be more timely and beneficial to our clients. Polsinelli’s Health Information Privacy and Security Team is staying abreast of OCR's activities and is well-positioned to advise clients on how to protect their data and respond to breaches and government investigations. Abby Bonjean adds another level of experience. For more information about our Health Information Privacy and Security Team (including a list of recent key matters), see here.

For More Information

If you have questions regarding this alert, please contact the authors, a member of Polsinelli's Health Care Practice, or your Polsinelli attorney.







Atlanta  Boston  Chattanooga  Chicago  Dallas  Denver  Houston  Kansas City  Los Angeles  Nashville  New York
Overland Park  Phoenix  Raleigh  San Francisco  Silicon Valley  St. Joseph  St. Louis  Washington, D.C.  Wilmington








real challenges. real answers.SM  
Polsinelli is an Am Law 100 firm with more than 800 attorneys in 20 offices, serving corporations, institutions, and entrepreneurs nationally. Ranked in the top five percent of law firms for client service*, the firm has risen more than 50 spots over the past five years in the Am Law 100 annual law firm ranking. Polsinelli attorneys provide practical legal counsel infused with business insight, and focus on health care, financial services, real estate, intellectual property, mid-market corporate, labor and employment, and business litigation. Polsinelli attorneys have depth of experience in 100 service areas and 70 industries. The firm can be found online at Polsinelli PC. In California, Polsinelli LLP.

* 2017 BTI Client Service A-Team Report







Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.

Copyright © 2017 Polsinelli PC.

Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook. Polsinelli Health Care Technology Health Care