The Department of Health and Human Services’ Office of Civil Rights recently published its cumulative enforcement results since the enactment of the HIPAA Privacy Rule in 2003.
As of July 31, 2018, OCR received over 186,450 HIPAA complaints and initiated over 905 compliance reviews. It has investigated complaints against many different types of entities, including national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
Ninety-six percent of the cases were resolved by OCR. Many were resolved by requiring changes in privacy practices and corrective actions by the HIPAA-covered entities and their business associates, or by providing technical assistance to the covered entities or their associates. To date, OCR has settled or imposed a civil money penalty in 55 cases, resulting in a total dollar amount of over $78 million.
The compliance issues investigated most are, in order of frequency:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of PHI
- Lack of patient access to their PHI
- Lack of administrative safeguards of electronic PHI
- Use or disclosure of more than the minimum necessary PHI
The most common types of covered entities required to take corrective action to achieve voluntary compliance are, in order of frequency:
- General hospitals
- Private practices and physicians
- Outpatient facilities
- Health plans (group health plans and health insurance issuers)
As these results indicate, OCR continues to be active in HIPAA enforcement, which can result in significant penalties to covered entities. Health care organizations are encouraged to review their HIPAA policies and procedures for newly evolving risks, revisit staff training on the organization’s specific procedures (including the appropriate use of texting and mobile equipment), and review the oversight and management of the organization’s process for identifying, investigating, disclosing, and documenting HIPAA breaches and security incidents.
More information on enforcement activities can be obtained by visiting HHS.gov.
If you have any questions regarding the content of this blog post, please contact Fran Ciardullo, special counsel, at firstname.lastname@example.org or 315.425.2866.