The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:
–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and
–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).
Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”
OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect to the HIPAA Privacy, Security, and Breach Notification Rules.
Summary of Complaints Received. The Report includes cumulative information about the number of complaints and their resolution. Over a nearly 9-year period, from April 14, 2003 (the compliance date of the HIPAA Privacy Rule) to December 31, 2012, OCR received 77,190 complaints alleging HIPAA violations. As of December 31, 2012, OCR had resolved 70,259 (91%) of these complaints and proudly observed that the majority of these complaints were resolved within one year of their receipt.
OCR lacked jurisdiction over majority of complaints. One interesting takeaway from the complaints received is that a large number of Americans may lack an understanding of the types of entities to which HIPAA applies and the type of activity or information that HIPAA is designed to protect. Specifically, as to 42,793 of the resolved complaints, accounting for more than half of the total, OCR determined that it simply lacked jurisdiction to deal with the complaint. The cited reasons included: a) the complaint alleged a violation before the compliance date of the applicable HIPAA Rule; b) the complaint alleged a violation by an entity not covered by HIPAA; and c) the complaint was untimely or withdrawn; or d) the complaint described an activity that did not violate HIPAA.
Private physician practices were the most frequent offenders. Of the 27,466 complaints eligible for investigation, OCR resolved 18,559 of these by requiring the entity to take corrective actions and/or OCR provided technical assistance to the entity to address any indication of noncompliance with the HIPAA Privacy Rule. OCR noted that the most common types of entities it required to take corrective actions, in order of frequency, were:
- private practices
- general hospitals
- outpatient facilities
- health plans, which include group health plans and health insurance issuers
No HIPAA violation. In the remaining 8,907 cases, OCR found there was no HIPAA violation. In essence, of the 70,259 complaints that OCR reviewed or investigated, over 70% resulted in no corrective action either because OCR did not have jurisdiction to deal with it or there was no violation.
Compliance reviews not arising from complaints. From 2003 to 2012, OCR opened 804 compliance reviews addressing allegations of violations of the HIPAA Rules that did not arise from complaints, and the majority of those (710) stemmed from a report of a large breach. In analyzing its investigations, OCR determined that the compliance issues it investigated most, in order of frequency, were:
- impermissible uses and disclosures of PHI
- lack of safeguards of PHI
- denial of individuals’ access to their PHI
- uses or disclosures of more than the minimum necessary PHI
- lack of administrative safeguards of ePHI
Resolution Agreements, Civil Monetary Penalties & Investigative Subpoenas. In addition to the cumulative data, the Compliance Report provides a more focused look at the number of complaints and their resolution for the calendar years 2011 and 2012. It also provides information for those two years regarding what OCR considers “significant activities,” such as Resolution Agreements and civil monetary penalties (CMPs). OCR entered into seven Resolution Agreements in 2011 and 2012, and details of those agreements are included in the Report. A significant complaint involving Cignet Health of Prince George’s County, Maryland (Cignet) resulted in the imposition of CMPs. OCR considered Cignet’s behavior to be “egregious” and imposed a $4.3 million CMP because Cignet repeatedly refused to provide medical records to patients upon the patient’s request and then, later, upon OCR’s demand, subpoena and finally a court order. OCR observes that while these eight significant cases represent “a very small fraction of the complaints and compliance reviews through which OCR investigates compliance with the HIPAA Rules, this is double the number of high-impact cases that OCR resolved through Resolution Agreements and corrective action plans from 2008 to 2010.”
OCR issued only one investigative subpoena during this two-year period covered by the report to a social networking website as part of its investigation into a complaint alleging that a doctor impermissibly posted a patient’s photograph and other PHI on the website. The website supplied the subpoenaed information, and OCR found “there was insufficient evidence to support the complaint.”
Audits. The Compliance Report also provides information about the number of audits performed and a summary of the audit findings. All entities and their business associates that are subject to HIPAA should examine these audit findings carefully. As noted by OCR in its Report, “[a]udits present a new opportunity to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.”
Conclusion: OCR to “work smarter” in the midst of rising complaints. The Compliance Report concludes with OCR’s plan to “work smarter” to improve compliance with and enforcement of HIPAA for the following year. This will particularly important if OCR’s prediction that resources to investigate complaints will remain limited while the number of complaints will continue to rise. OCR plans to limit investigations to “cases that present compliance issues that are pervasive in the health care industry or other serious allegations and to engage the covered entities and business associates in these cases to reach meaningful resolution.”