HIPAA investigations by year. Data from the HHS

The Health Insurance Portability and Accountability Act (HIPAA), federal regulations to protect medical privacy and give patients greater control over their personal health information, was implemented in April of 2003. There was lots of flurry and concern, and then it all seemed to die down because the enforcement and threats of prosecution for violations didn’t really happen in the numbers that were anticipated. 

Well, it seems as though the enforcement beast is rearing its ugly head again.

Discuss this article on the forums. (9 posts)

Since April 2003, there have been over 26,000 complaints filed alleging violations of HIPAA Privacy regulations (Health Law Alert, April 25, 2007). Of note is the fact that in that four-year period since 2003, only 350 complaints were passed onto the Department of Justice for criminal enforcement [and only] four criminal HIPAA violations were prosecuted in the United States (as of February 2007).

Below are the most common allegations reported to the Office of Civil Rights (OCR) as violations of HIPAA Privacy (from: http://Onthepharm.net/2006/06/hipaa-enforcement-lacking.html):

§ Permission to use or disclose protected health information was not obtained (personal medical details were wrongly revealed)

§ Information was poorly protected (adequate safeguards were not in place)

§ More details were disclosed than necessary (Minimum Necessary Rule)

§ Proper authorization was not obtained (when required)

§ Patients were frustrated getting their own records (access, copies denied).

What is also important to know is that there is a difference between HIPAA Privacy and HIPAA Security (HIPAA security is fundamentally the security of electronic claims and transactions). As the public has become more aware over the past three years, the number of HIPAA privacy investigations has been steadily increasing (http://hhs.gov/ocr/privacy/enforcement/numbersglance0507.html).

These are a few signs that there is increasing focus on the enforcement of HIPAA Security (from Health Law Alert, April 25, 2007):

§ Each year the Office of Inspector General (OIG) issues a Work Plan. The 2007 Work Plan cited reviews of HIPAA Privacy and Security implementation during fiscal year 2007.

§ The HIPAA Security standards may begin to play a role in identity theft litigation claims, and HIPAA Privacy may begin to be used as “standard of care” to prove negligence in privacy claims.

§ A hospital in Georgia is being audited for its Security Rule compliance (no one seems to know why), and the OIG let it be known that it will perform similar audits nationally.

§ According to attorney-author Monica Hocum, “The best defense is to have a comprehensive compliance program that is actively monitored andt enforced.”

There are three things to remember:

1. None of us knows everything about all aspects of HIPAA Privacy. Educate your front line people, educate yourself and get good opinions.

2. Patients will continue to file complaints (and civil suits), even if the agency is not enforcing regulations. Complaints take your time and the time of your staff to investigate and rectify.

3. The requirements for compliance with HIPAA Privacy and HIPAA Security regulations aren’t going away.

HIPAA: Enforcement and Other Legal Risks. Health Law Alert, April 25, 2007.

HIPAA Apparently Lacks Teeth – But Does It Really Matter? (Onthepharm.net)

Compliance and Enforcement Numbers at a Glance. United States Department of Health and Human Services.

About the Author

Dr. Flippin brings a wealth of experience, starting with her long tenure as an attending physician at the Cook County Hospital Emergency Department. She is currently Corporate Compliance and HIPAA Privacy Officer at major Chicago hospital.