Kusserow on Compliance: Enforcement update from OCR

The HHS Office for Civil Rights (OCR) reports that HIPAA Privacy and Security breaches of Protected Health Information (PHI) continue to increase. From OCR published data, it is estimated  that more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. However, the true number is much greater because most breaches involve less than 500 and therefore are not subject to public disclosure.   Since the compliance date of the Privacy Rule in April 2003, the OCR reported receiving over 137,770 HIPAA complaints that resulted in nearly 1,000 compliance reviews. The following summarizes the results of review and investigation:

  • 70 percent were determined to be (a) not warranting enforcement as untimely or withdrawn by complainant; (b) entities not covered by HIPAA; and (d) absence of a violation.
  • 17 percent led to requirements for changes in privacy practices and corrective actions
  • 10 percent involved early intervention with only the need to provide technical assistance
  • 37 cases involved financial settlements of $39,989,200.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance in order of numbers of occurrence were Private Practices, Hospitals, Outpatient Facilities, Pharmacies, and Health Plans. To date, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Use or disclosure of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.