On May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident.  Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial measures that are of most interest to those following data breach enforcement actions.

The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in which Covered Entities and Business Associates were working to ensure that their data protection practices comply  with the new set of HIPAA Omnibus rules.  The OCR has made clear that it is not focused merely on large institutions or hospital systems.  In August, the OCR announced that breaches affecting fewer than 500 individuals will be subject to investigation by its regional offices. Thus, even entities with small incidents or small amounts of protected health information (PHI), such as employee health plans, could see a higher rate of enforcement and a higher possibility of major fines if they fail to comply with HIPAA.  Also within the OCR’s sights are Business Associates, as the Omnibus rule empowered the OCR to directly investigate and enforce Business Associates’ compliance with HIPAA’s requirements that the Omnibus rule extended to these entities.