Health & Human Services is watching you

In filing its report for 2019, Health & Human Services’ (HHS) Office of Civil Rights (OCR) noted that since the April 2003 implementation of the Privacy Rule, it has received over 225,378 HIPAA complaints. In response, the OCR has initiated over 993 compliance reviews and also resolved 99% of those 225,378 complaints (222,175).

More than 27,604 of those cases investigated and resolved required organizations to change privacy practices and to take corrective actions. These corrective actions resulted in systemic change. But more important to those of us in compliance, where an investigation indicates noncompliance, OCR has exerted a financial pinch, hitting the covered entity or their business associate in the pocketbook.

HIPAA exposures are costly

OCR has settled or imposed a civil money penalty in 73 cases totaling $111,855,582.00.The enforcement agency investigated complaints against such entities as national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. No one is immune.

But not everyone pays

In another 12,094 cases, OCR HIPAA investigations found no violations. Additionally, in 40,882 cases, the enforcement arm was able to intervene early and provide technical assistance to HIPAA-covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, eliminating the need for an investigation.

And in 141,595 of its completed cases, OCR determined that the complaint was not eligible for enforcement. Among these kinds of cases were:

• Those in which OCR lacked jurisdiction under HIPAA. These might be, for example, cases alleging a violation by an entity not covered by HIPAA;
• Untimely complaints or complaints that were withdrawn by the filer; and
• Activities described in a complaint that did not violate the HIPAA Rules. These might be, for example, cases in which the Privacy Rule permitted the HIPAA-covered organization entity to disclose protected health information.

What prompts an investigation?

From April 2003 – December 31, 2019, From the compliance date to the present, the most common compliance issues prompting complaints are (in cumulative order of frequency):

1. Impermissible uses and disclosures of protected health information;
2. Lack of safeguards of protected health information;
3. Lack of patient access to their protected health information;
4. Lack of administrative safeguards of electronically protected health information; and
5. Use or disclosure of more than the minimum necessary protected health information.

What healthcare entities violate HIPAA most?

The healthcare organizations the OCR has investigated most and find to have been alleged to have committed violations are, in order of frequency:

1. General Hospitals;
2. Private Practices and Physicians;
3. Outpatient Facilities;
4. Pharmacies; and
5. Health Plans (group health plans and health insurance issuers).

How many HIPAA violators have been further investigated?

OCR refers cases involving the knowing disclosure or acquisition of protected health information to the Department of Justice (DOJ) for criminal investigation. As of December 2019, the OCR made 824 referrals to the DOJ.

What are healthcare compliance professionals to do? Pay attention, of course. A vigilant, well-run compliance system can spot irregularities and give an attentive compliance team a chance to nip exposures before they get out of hand. Patrina can help. We’ve built our business based on helping organizations keep track of “bad apples,” and stay on the “straight and narrow” efficiently and cost-effectively. So, let’s talk. Call 212-233-1155 to ask about Patrina’s cost-effective designated third-party services, our comprehensive 8-module compliance solution, and compliant data capture & file storage, and records archiving specifically designed for the healthcare, insurance, and financial services community. Be smart. Be covered. Let’s talk