It’s time for year-behind-us reminisces and year-before-us prognostications and, for those of us with nothing better to do during the last few days of 2017 and first few days of 2018, attention turns to HIPAA enforcement. So what happened and what can we look forward to? If past is prologue, expect the sound of silence as there was nominal Office for Civil Rights (OCR) activity in 2017 and, with the one noisy exception, no actions to cause your ears to burn.


In the how-did-that-ever-get-by-the-privacy-officer-category, a HIPAA covered entity was hit with a hefty $2.4M fine for a one-off disclosure of a patient’s name to media outlets following an attempted identity theft. This penalty underscores the risks of inattention to basic HIPAA and (Hippocratic) principles and how one exceedingly poor decision can take a significant bite out of an organization’s bottom … line.

Additionally, it should be mentioned that the OCR announced no actions in the latter half of 2017 and those opprobrium-worthy events in the first six months of 2017 simply stressed the necessity of: (1) reporting breaches in a timely manner; (2) conducting risk assessments and implementing appropriate safeguards in response; (3) making certain that business associate agreements are in place with vendors handling PHI; and (4) inventorying and keeping track of mobile devices.

Finally and anecdotally (and on a related note), social engineering scams continue to rise in frequency and pitch and to expose ever-increasing amount of data to the bad guys. The lessons learned from these attacks is hypervigilance in training personnel to avoid unfamiliar websites or attachments linked in unsolicited emails. Notwithstanding my prediction of a march of crickets, covered entities and business associates dealing in massive amounts of PHI could find themselves a click away from a cacophonous media frenzy and choirs of attorneys arguing class action suits.

Here’s hoping for a peaceful (and eerily quiet) 2018.