Health & Human Services is watching you
In filing its report for 2019, Health & Human Services’ (HHS) Office of Civil Rights (OCR) noted that since the April 2003 implementation of the Privacy Rule, it has received over 225,378 HIPAA complaints. In response, the OCR has initiated over 993 compliance reviews and also resolved 99% of those 225,378 complaints (222,175).
More than 27,604 of those cases investigated and resolved required organizations to change privacy practices and to take corrective actions. These corrective actions resulted in systemic change. But more important to those of us in compliance, where an investigation indicates noncompliance, OCR has exerted a financial pinch, hitting the covered entity or their business associate in the pocketbook.
HIPAA exposures are costly
OCR has settled or imposed a civil money penalty in 73 cases totaling $111,855,582.00.The enforcement agency investigated complaints against such entities as national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. No one is immune.
But not everyone pays
In another 12,094 cases, OCR HIPAA investigations found no violations. Additionally, in 40,882 cases, the enforcement arm was able to intervene early and provide technical assistance to HIPAA-covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, eliminating the need for an investigation.
And in 141,595 of its completed cases, OCR determined that the complaint was not eligible for enforcement. Among these kinds of cases were:
What prompts an investigation?
From April 2003 – December 31, 2019, From the compliance date to the present, the most common compliance issues prompting complaints are (in cumulative order of frequency):
What healthcare entities violate HIPAA most?
The healthcare organizations the OCR has investigated most and find to have been alleged to have committed violations are, in order of frequency:
How many HIPAA violators have been further investigated?
OCR refers cases involving the knowing disclosure or acquisition of protected health information to the Department of Justice (DOJ) for criminal investigation. As of December 2019, the OCR made 824 referrals to the DOJ.
What are healthcare compliance professionals to do? Pay attention, of course. A vigilant, well-run compliance system can spot irregularities and give an attentive compliance team a chance to nip exposures before they get out of hand. Patrina can help. We’ve built our business based on helping organizations keep track of “bad apples,” and stay on the “straight and narrow” efficiently and cost-effectively. So, let’s talk. Call 212-233-1155 to ask about Patrina’s cost-effective designated third-party services, our comprehensive 8-module compliance solution, and compliant data capture & file storage, and records archiving specifically designed for the healthcare, insurance, and financial services community. Be smart. Be covered. Let’s talk