Four years after requiring Covered Entities to comply with HIPAA’s “Privacy Rule,” the Department oHealth and Human Services has unveiled a website devoted to providing information on enforcement and compliance.[1] The website offers great insight into common violations and enforcement by the Office of Civil Rights (the “OCR”).
The OCR has broad authority to investigate alleged Privacy Rule violations. As of April 2003, the OCR also has the ability to issue subpoenas when investigating an alleged violation. Should the OCR determine a violation occurred, it may request a violator to correct the practice or face civil monetary or criminal penalties. To date, however, the OCR has not recommended any civil monetary penalties. Since enforcement of HIPAA began, the Department of Justice (the “DOJ”) has been referred 384 cases by the OCR related to the knowing disclosure of Protected Health Information (“PHI”); however, none have been prosecuted. The DOJ has prosecuted four violations where employees sold PHI for personal financial gain.
Overall, the OCR has received 26,408 complaints since April 14, 2003. As of June 2007, 5,931 are currently under investigation. 20,477 complaints have been closed after preliminary review, or have been resolved after finding no violation or obtaining corrective action. The number of investigated complaints continues to trend upward, with 339 investigations in 2003 and 2,466 in 2006.
The violations most commonly alleged were the following:
1. Impermissible use and/or disclosure of PHI;
2. Failure to maintain procedures to safeguard PHI;
3. Lack of patient access to PHI;
4. Disclosing more PHI than is minimally necessary; and
5. Failing to obtain/inadequate authorization for disclosing PHI.
Generally, these complaints were most often directed at private practice physicians and general hospitals, followed by outpatient facilities, pharmacies and group health plans.
This data shows us that, while complaints and investigations are on the rise, both the OCR and DOJ appear willing to provide opportunity for a provider to become educated on the Privacy Rule and to correct their practices accordingly. It is only in extreme cases, such as when PHI is willfully mishandled for personal gain, where enforcement is required and penalties recommended.
1www.dhhs.gov/ocr/privacy/enforcement/
