Many Patient HIPAA Complaints Are Really About Other Data Use Issues Outside of the Medical Privacy Law

Federal HIPAA enforcer refers many patient and employee complaints to federal and state agencies because issues are outside of federal medical privacy law.

The difference between a patient and a consumer has disappeared, and HIPAA cannot handle the situation. Often what looks like patient data is really consumer information and not protected by HIPAA.”
— Dennis Melamed, Editor, Health Information Privacy/Security Alert

ALEXANDRIA, VA, US, May 24, 2018 / -- A little more than 60% of the HIPAA complaints lodged with the HHS Office for Civil Rights (OCR) fell outside the agency’s jurisdiction since the program began in April 2003, according to the latest analysis by Health Information Privacy/Security Alert.

OCR reported that it resolved 96% of complaints (171,470) as of March 31, 2018. However, 107,604 complaints did not present an eligible case for enforcement.

Former OCR officials explained that many of the complaints were lodged against those not covered by HIPAA, such as state child protective agencies, educational institutions, employers and workers compensation carriers.

However, that does not stop OCR from referring some of those complaints to the Federal Trade Commission, the Equal Employment Opportunity Commission, state licensing boards, the Department of Education and even the Social Security Administration.

Moreover, there is a deep appreciation that FDA-approved medical devices, which generate and collect health data, require coordination among federal agencies because HIPAA covers a very limited universe of data.

“The differences between a patient and a consumer have all but disappeared and HIPAA was not designed to handle the situation,” observed Dennis Melamed, editor and publisher of Health Information Privacy/Security Alert. “In the Internet of Health Things, what looks like protected health information is really consumer information and not protected by HIPAA. The challenge now is how do we manage these new sources of health information.”

A fuller discussion of patient complaints and HIPAA enforcement was held in a May 24 webinar: The Hidden World of OCR’s HIPAA Enforcement. In the 90-minute program, national HIPAA authorities briefed participants on the lessons learned from patient complaints, HITECH small breaches, OCR’s technical assistance program and the rejected complaints.

The webinar, sponsored by Melamedia, LLC, qualifies for 1.5 CEs from the International Association of Privacy Professionals. For more information and to order, visit

Katalin Sugar
Melamedia, LLC
email us here

Katalin Sugar
email us here
Melamedia, LLC