The past year was marked by a number of significant new developments in Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security enforcement and regulation, including noteworthy settlements, the conclusion of the Phase 2 audits, and new guidance issued in response to cyberattacks targeting the health-care industry and the opioid crisis.
But the year in HIPAA enforcement and regulation was most defined by what did not happen – the absence of publicly announced HIPAA settlements by the HHS Office for Civil Rights (“OCR”) from June until late December. Many in the health-care industry are now wondering whether this lag in enforcement is an anomaly or the “new normal.”