News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Kirk Nahra Discusses OCR HIPAA Enforcement

Healthcare Info Security
February 4, 2016

Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in a article about federal regulators imposition of a civil monetary penalty (CMP) on a healthcare organization after it failed to resolve security issues following a Health Insurance Portability and Accountability Act (HIPAA) investigation.

It’s up to the discretion of the Department of Health and Human Services’ Office for Civil Rights (OCR) whether it seeks a civil monetary penalty from an organization being investigated for potential HIPAA violations, based on their cooperation with authorities as well as their efforts to resolve security issues, said Mr. Nahra.

“The question of whether CMPs are pursued is mostly an issue of how the company being investigated behaves,” he said. “It is in OCR’s interest to be able to resolve situations to its satisfaction without going through the formal enforcement process, and most companies so far have also found it in their interest. It is analogous to why most cases settle before they go to trial—it is expensive and time consuming and burdensome and risky to go to trial. If you can reach a good settlement, you settle,” he added.

The penalty in this case doesn’t necessarily signal that more such civil monetary penalties are coming soon from OCR, Mr. Nahra said. “I don’t see this as anything other than this company decided to fight, for whatever reason. I don’t think there’s any particular lesson to be learned from the fact that this was a CMP case—expect perhaps that OCR is prepared to fight when it needs to,” he said. 

The case, like other OCR investigations, highlights the necessity to safeguard protected health information, regardless of where it resides, Mr. Nahra says. “It should remind companies about how important it is to control paper records as well as electronic information,” he said. “The fine relates to the lack of controls more than the number of people affected. The number of people is one factor, but really bad [security] practices affecting a small number of people can lead to big dollar [penalties].”

To read the complete article, please click here.