Report on Patient Privacy 25, no. 5 (May, 2025)
In October, the HHS Office for Civil Rights (OCR) fined Providence Medical Institute (PMI) $240,000, an amount that reflected a 20% discount for having “recognized security practices” (RSPs) in place. But many more covered entities (CEs), business associates (BAs) and their attorneys grumble that they’re not getting credit for RSPs.
“Some of these organizations would produce their quote-unquote recognized security practices in a box, a virtual box and give it to OCR, and then OCR has to go through all of that,” Melanie Fontes Rainer, the most recent OCR director, told RPP. “And oftentimes, I’m not trying to be rude, but it was not great.”
In December, Children’s Hospital Colorado allowed OCR to fine it nearly $550,000 rather than settle and implement a multiyear corrective action plan (CAP), joining what appears to be a growing number of organizations making a similar choice. Why might this be happening? Fontes Rainer said OCR’s limited financial penalties—which it has been unsuccessfully lobbying Congress to increase—are partly to blame.
Trends in OCR enforcement actions is just one topic Fontes Rainer, a Biden appointee who resigned in January, discussed with RPP. The wide-ranging interview took place in early April, just after HHS announced a “dramatic” restructuring of the agency, a move that will see OCR switch from being a direct report of the HHS secretary to being under a new Secretary for Enforcement. HHS is also set to lose up to 20,000 employees.
As RPP reported in the April issue, Fontes Rainer is concerned that the impending reorganization could rob OCR of its independence and dilute its ability to respond to a security crisis like that resulting from the February 2024 Change Healthcare breach. She also bemoaned the loss of staff for the chronically underfunded and under-resourced agency.[1]
In addition to Fontes Rainer’s thoughts on trends, this article delves into her views on the future of the proposed Security Rule and reasons why it’s important that her successor continue the Right of Access Initiative.
Who that will be remains unknown, as President Donald Trump had not appointed a director as of RPP’s deadline. The agency is being led by Acting Director Anthony Archeval. In April alone, Archeval announced four new settlements with CEs. Three of the settlements were concluded since the Trump administration came into office, but all began years earlier. Two were for $25,000 each and stemmed from ransomware attacks and involved failures to conduct a risk analysis.[2]
To date this year, OCR has announced 13 HIPAA enforcement actions, and although this might look like business as usual as far as HIPAA goes, it’s too soon to tell. None of the cases reflects actions begun under Trump’s new term, which is not surprising given that investigations typically take years to conclude. With each announcement, Archeval has confirmed that “OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of people’s health information.”
But OCR is also now juggling investigations and priorities that are new to the agency, such as whether Maine allowed men in women’s sports and medical school graduates experienced antisemitism in commencement ceremonies. The list is also expanding.
On April 25, OCR announced it was working with the Department of Education (ED) to investigate “Harvard University and the Harvard Law Review based on reports of race-based discrimination permeating the operations of the journal. The investigations are in response to information ED and HHS received about policies and practices for journal membership and article selection that may violate Title VI of the Civil Rights Act of 1964 (Title VI).”[3]
“ED and HHS will examine Harvard’s relationship with the journal, including financial ties, oversight procedures, and selection policies and other documentation for both membership and article publication,” according to the announcement. This joins a number of other investigations and actions against Harvard, including freezing billions in grants and contracts.
‘No Reason Not to Proceed’ on Security Rule
During Fontes Rainer’s tenure, OCR issued six final rules, including addressing nondiscrimination in health care, Part 2 harmonization and reproductive protected health information (PHI). At a recent HCCA conference, attorney Adam Greene provided an update on some of the legal and implementation challenges related to the reproductive rule.[4]
OCR’s last regulatory action under Fontes Rainer came just weeks before she resigned, as is required of political appointees. On Dec. 27, OCR issued a proposed rule to revise the Security Rule for the first time since 2013; it was formally published in the Federal Register on Jan. 6. During the comment period, which closed March 7, the rule attracted criticism, including from those who called for HHS to rescind it, citing high compliance costs, among other reasons.[5]
But a do-over would be a mistake, Fontes Rainer told RPP.
Noting that she has no insight into what the current administration thinks of the proposed rule, Fontes Rainer said she is “hopeful that it transcends politics” and is finalized. The proposed rule reflects input from OCR’s interactions with Congress, she said, adding that OCR staff were regularly in touch with various members and committees in the aftermath of the Change Healthcare breach.
“There’s no reason for [the current administration] not to proceed with it because it’s apolitical. It’s important to our health care system. It’s a proposed rule, right? So, they’ll get lots of comments; some comments they’ll agree with, some comments they won’t agree with. It gives them the opportunity to get moving on that, as opposed to starting all over”—a step Fontes Rainer said would be “irresponsible.”
It is worth noting that on Jan. 5, 2021—just before his resignation—then-Director Roger Severino and OCR similarly published a proposed regulation revising the Privacy Rule that was also described as nonpartisan. But HHS under Biden never followed up with a final rule.
OCR Explained RSPs in a Video
Turning to RSPs, these have been something of a thorny subject since they were first enshrined in a bill signed into law in early 2021 during the final days of Trump’s first term. Congress gave OCR the ability to lessen penalties for security rule violations if the CE or BA could prove it had RSPs in place during the previous 12 months. This authority is retroactive to December 2016.
The law allows OCR to decrease the length and extent of an audit, such as closing an audit early with a “favorable termination.” In addition, fines and other “remedies in any agreement with respect to resolving potential violations of the HIPAA Security rule” could be mitigated.[6]
But the law says little about RSPs and allows CEs and BAs to determine those they want to employ. It refers to RSPs as those developed by the National Institute of Standards and Technology, “approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”
The law was widely embraced by the health care industry, eager for some grace from OCR when breaches and other cybersecurity incidents occur. The American Hospital Association and others clamored for OCR to make good on its promise to issue rulemaking to explain how it would implement RSP deliberations. OCR went so far as to issue a request for information, typically a precursor to a rule or guidance. But despite its pledges, OCR did neither; instead, in October 2022, nearly two years after the bill became law, OCR posted a 30-minute video on YouTube.[7]
In the years since, it’s not been evident when RSPs came into play unless an organization’s investigation ended in a fine; in these cases, OCR typically posted a notice of proposed determination that occasionally mentioned them. As noted earlier, PMI got a 20% break on its fine, although this merited only a short mention, and there was no explanation as to which RSPs OCR deemed acceptable.[8] But Warby Parker got nothing, as OCR rejected its bid for the RSP discount when it imposed a $1.5 million fine, announced by the agency in February.
This was also the case with Children’s, whose $548,000 fine OCR announced in December. The notice of proposed determination indicates that OCR asked the hospital three times to demonstrate its implementation of RSPs, and none of the information it provided was sufficient for the agency.
There are two challenges when it comes to RSPs, Fontes Rainer told RPP. First, “Congress didn’t give OCR a tool to properly enforce that,” she said, adding that OCR staff recommended the use of RSPs be mandated.
Fontes Rainer to Congress: Fix RSPs, Up Fines
Secondly, although RSPs “are so important…the way in which the statute is framed [is] pretty open-ended in terms of how they can manifest themselves. That in and of itself creates, I think, sort of a patchwork of what people produce,” she said, when asked to provide their RSPs.” As noted earlier, Fontes Rainer said that what organizations provide has often been poor quality.
She also referred to the “current construct” as “imperfect on all sides” and suggested this is something that could benefit from “more work” by Congress and others. “It’s imperfect for stakeholders like HIPAA covered entities because it’s not clear on what those are. And the statute itself allows for various mechanisms” to qualify as RSPs, Fontes Rainer said.
Children’s was extremely critical of the whole process, with officials telling RPP the hospital capitulated after expending “an excessive level of transparency, cooperation, time and resources for more than the past six years to no avail.”[9]
Maintaining there were no HIPAA violations, the hospital also rejected the idea of settling. “While OCR did offer an option with a lower fine, it was contingent on requirements that would require an unfeasible and unnecessary amount of time and resources on our behalf and would still come with a significant fine,” Children’s said. Representatives of other CEs involved in OCR enforcement cases have complained to RPP that they also opted to accept a fine because that meant not having to comply with onerous CAP requirements deemed to have been broader than deficient areas of compliance.
While not commenting on whether this is a trend, Fontes Rainer said it relates to the fact that OCR voluntarily instituted annual caps on its fines in 2019. That was following a loss in court to the University of Texas MD Anderson Cancer Center. At the time, Severino said the lowered fines “better reflect” the law.[10]
A penalty cap “creates a natural problem where you do see organizations that just choose to settle or pay a fine as opposed to actually doing the work,” Fontes Rainer said.
For its part, imposing a civil monetary penalty is “more resource-intensive for OCR, which is also why we try to drive the voluntary compliance,” she said.
Fontes Rainer pointed out that OCR has been trying to get Congress to increase the fines for the last several years. In the last session of Congress, Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., introduced a broad security bill that included removing all penalty caps, but it was not passed and has not been reintroduced.[11]
Currently, the minimum fine per identical violation ranges from $100 to $50,000, with annual maximums of $25,000, $100,000 or $250,000 per year for the three lower tiers of violations and $1.5 million for “willful neglect,” the highest tier. Before lowering the maximums via an enforcement discretion, OCR routinely imposed $1.5 million per year for violations, regardless of the level of severity.
Access Cases: 53 and Keep Counting
Addressing the Right of Access Initiative, Fontes Rainer said the program—begun by Severino in 2019—responds to patients’ critical need for their PHI.
OCR recently issued its 53rd enforcement action in the program, fining Oregon Health & Science University $200,000 for a 16-month delay in providing a patient with access to her medical records following a 2019 request. RPP will discuss this case and possible technical solutions to fulfilling access requests in a future issue.
Fontes Rainer said she “definitely” wants to see this initiative continue, noting that thwarted access is a common complaint to OCR.
“We believe that it’s a core tenant of HIPAA that people have access to their own health information,” she said. “We know that when people have information, it’s power and it puts them in the center of their care in a way that I think we all want in the health care system.”
“When I was at OCR, each of my regions was working to prioritize cases and cases that have high impact, so I assume we will see more of these,” Fontes Rainer added, noting that the access requirement is universal: both large organizations like UnitedHealthcare and small dental practices must comply.
“I think this very much fits the ‘Let’s make everyone healthy again’ goal,” she added.
1 Theresa Defino, “OCR Loses Staff, Faces Move to New ‘Enforcement’ Office; Will HIPAA Focus, Independence Suffer?” Report on Patient Privacy 25, no. 4 (April 2025), https://bit.ly/4iizT2A.
2 Jane Anderson, “OCR Notches Two More Risk Analysis, Ransomware Settlements,” Report on Patient Privacy 25, no. 5 (May 2025).
3 U.S. Department of Health and Human Services, Office for Civil Rights, “ED, HHS Launch Title VI Investigations of Harvard University and Harvard Law Review Amid Allegations of Discriminatory Practices,” news release, April 28, 2025, https://bit.ly/3SjgaoF.
4 Theresa Defino, “Amid Suits and Significant ‘Pushback’ Regarding Repro PHI Attestations; No Rush to Amend NPPs,” Report on Patient Privacy 25, no. 5 (May 2025).
5 Jane Anderson, “’Kill This Fast and Start Over:’ Commenters Decry Costs, Minimal Benefit in Proposed Security Rule,” Report on Patient Privacy 25, no. 3 (March 2025), https://bit.ly/4daKOu7.
6 Theresa Defino, “Facing Escalating Attacks, AHA Presses OCR to Expedite Security Practices Rule,” Report on Patient Privacy 21, no. 12 (December 2021), https://bit.ly/44gyyG6.
7 Theresa Defino, “OCR Shares Information About Recognized Security Practices, Clarifies No ‘Safe Harbor,’” Report on Patient Privacy 22, no. 12 (December 2022), https://bit.ly/3Aqa54y.
8 Theresa Defino, “Recognized Security Practices ‘Saved’ Covered Entity $60K of $300K Fine, But Which Ones Remain a Mystery,” Report on Patient Privacy 24, no. 11 (November 2024), https://bit.ly/420gmis.
9 Theresa Defino, “We’ll Take the Fine: We’ll Take the Fine: OCR’s ‘Unwarranted,’ Costly Demands Prompted Hospital’s $538K Payment,” Report on Patient Privacy 25, no. 2 (February 2025), https://bit.ly/4bmRvZ1.
10 Theresa Defino, “Easy Win for MD Anderson? OCR Drops Annual Caps, Issues Warning on Right-of-Access Denials,” Report on Patient Privacy 19, no. 5 (May 2019), https://bit.ly/3VicgOJ.
11 Theresa Defino, “Beyond the Bluster: New Wyden Security Bill Mirrors OCR’s Goals, Unfulfilled Mandates; Drops Penalty Cap,” Report on Patient Privacy 24, no. 11 (November 2024), https://bit.ly/42ZBfc.
[View source.]
