Stay informed about enforcement, audits, and penalties with our September 2018 update
HIPAA Privacy & Security Updates—From Dorothy Cociu, COIN Editor and HIPAA Privacy & Security Consultant & Trainer, Sept-Oct 2018
There were no HIPAA Privacy & Security enforcement actions/penalties or settlements since the last issue. However, I thought I would provide some updated enforcement information from HHS/OCR.
According to the HHS website at HHS.gov, enforcement highlights and enforcement results as of July 31, 2018, OCR has received over 186,453 HIPAA complaints since the compliance date of the Privacy Rule in April, 2003. They have to date initiated over 905 compliance reviews, and have resolved 96% of these cases (178,834).
According to HHS, OCR has investigated and resolved over 26,152 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates.
OCR has, according to HHS, successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate. To date, OCR has settled or imposed a civil money penalty in 55 cases, resulting in a total dollar amount of $78,829,182.00.
OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
In another 11,518 cases, OCR investigations, according to HHS, found no violation had occurred.
Additionally, in 29,042 cases, OCR has intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation. OCR and HHS take pride in the number of cases for which they have provided such assistance.
In the balance of completed cases, (112,122) OCR determined that the complaint did not present an eligible case for enforcement. These include cases in which:
- OCR lacks jurisdiction under HIPAA. For example, in cases alleging a violation by an entity not covered by HIPAA;
- The complaint is untimely, or withdrawn by the filer. The activity described does not violate the HIPAA Rules;
- The activity described does not violate the HIPAA Rules. For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure.
From the compliance date to the present, according to HHS, the compliance issues investigated most are, compiled cumulatively, in order of frequency:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information.
- Use or disclosure of more than the minimum necessary protected health information; and
The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: General Hospitals; Private Practices and Physicians; Outpatient Facilities; Pharmacies; and Health Plans (group health plans and health insurance issuers).
Referrals to the DOJ
OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rules. As of the date of this summary, OCR made 688 such referrals to DOJ.
Stay tuned for more HIPAA Privacy & Security Updates in the next issue! ##
Source: HHS.gov website postings
