By: HUB’s EB Compliance Team

Any time the Department of Health and Human Services Office of Civil Rights (“OCR”) closes an investigation with a resolution agreement, it posts it on its website. A spate of recent enforcement actions under the Health Insurance Portability and Accountability Act (“HIPAA”) has led to over $10 million in total penalties in 2020 alone, including the second-largest payment to resolve a HIPAA investigation in OCR history. A review of these OCR enforcement actions reveals some common themes (at least in the eyes of the OCR) which can be instructive for plan sponsors.


In the press releases for the enforcement actions reported so far this year, OCR identified the following as some of the actions that were not taken by the penalized parties:

  • Conducting a HIPAA-required risk analysis (5 times)
  • Risk management or mitigation (4)
  • Implementing or reviewing required internal controls (3)
  • Maintaining/implementing HIPAA policies and procedures (2)
  • Signing business associate agreements (2)
  • Required HIPAA workforce training (2)

In all instances, the investigation started with a report of a breach to OCR.

Employer Lessons

The list above contains most of the basic building blocks of a HIPAA compliance program. Employers with self-funded health plans, or those that receive protected health information (“PHI”) from insured plans, should take a look at their own HIPAA compliance program. Self-funded health plans can include health flexible spending arrangements and health reimbursement arrangements, in addition to more comprehensive health plans.

Based on the above list, employers may want to ask themselves the following questions:

  1. Have I conducted a risk analysis recently? This may involve working with your IT department or vendor. Where is PHI stored and how is it secured? Has anything changed if your company has transitioned to a virtual working environment? Technology is constantly changing the way we do business and store or transfer information and, unfortunately, cyber-attacks are evolving as well.
  2. Have I mitigated identified risks? HIPAA does not generally require that all risk of disclosure be eliminated. However, if you identify (or have identified in the past) risks that could lead to PHI misuse or disclosure, have you mitigated them?  This could include making sure that files with PHI are stored securely, laptops and other devices are encrypted, passwords are required to be changed frequently, or something as basic as regular training for employees who may encounter PHI at your organization.
  3. Have I reviewed my HIPAA policies and procedures? While HIPAA has not changed significantly in recent years, a regular review, particularly of security procedures, may be helpful. Policies may need to be updated to reflect new technical safeguards implemented by your organization, such as new encryption methods for transferring data.
  4. Have all of my Business Associates signed Business Associate Agreements? If you have vendors that handle PHI, they should be signing these. As technology improves, there are more vendors to consider, such as Cloud Service Providers who may store PHI for your organization. Double-check to make sure that you have identified all Business Associates and that there is an effective Business Associate Agreement in place for each of them. This information should be maintained in a log for quick reference when needed.
  5. Am I doing regular HIPAA training? With the pandemic disrupting our lives over the last six months, training may have fallen by the wayside. However, cyber-attacks are on the rise due to the shift toward more virtual work environments, and it is critical to ensure that your HIPAA workforce is trained on a regular basis and that this is documented. Don’t forget to include new hires or employees who have switched or expanded into positions where they may come into contact with PHI. Double-checking and conducting a HIPAA training refresher is a good idea.

While this list is not exhaustive, it can serve as a good starting point for a basic HIPAA check-up. With open enrollment around the corner, now is a good time to review your HIPAA compliance program.

If you have any questions, please contact your HUB Advisor. You can also view more compliance articles in our Compliance Directory.


The information herein is intended to be educational only and is based on information that is generally available. HUB International makes no representation or warranty as to its accuracy and is not obligated to update the information should it change in the future. The information is not intended to be legal or tax advice. Consult your attorney and/or professional advisor as to your organization’s specific circumstances and legal, tax or other requirements.