OCR’s Informal Approach May Mask Some Enforcement Activity

ALEXANDRIA, VA, US, February 19, 2019 /EINPresswire.com/ -- Complaints about HIPAA violations have increasingly forced healthcare organizations and their contractors to change their privacy and security policies in the last two years, according to the latest analysis of HHS data by the independent newsletter, Health Information Privacy/Security Alert (HIP/SA).

In analyzing patient complaint data from 2009 through 2018, HIP/SA found that healthcare entities had to take corrective action because of 921 complaints filed in 2018 compared to 863 complaints in 2017 and 727 complaints in 2016.

The data showed that the increases reversed a steady decline in actionable complaints, which started in 2010 and lasted through 2015. The number of entities forced to make changes due to HIPAA complaints peaked in 2010 when 2,709 complaints prompted changes in privacy and/or data security practices.

The larger numbers of complaints were due in part to the HITECH Act requirements to report breaches to the HHS Office for Civil Rights (OCR) and notify patients. That made it more likely that patients would be filing complaints that fell within OCR’s health data privacy and security jurisdiction.

The number of actionable complaints dropped precipitously in 2014, however. But that decline was due in part to OCR’s change in approach to HIPAA complaints.

In 2014, OCR started reporting on how often it intervened informally by providing technical assistance to healthcare organizations, their contractors and patients. The agency did not formally require corrective action but it did put healthcare organizations on notice in the event other complaints were filed or violations were detected.
By the end of 2014, OCR said it had intervened in 7,883 cases. At the end of 2018, OCR said it had informally intervened in a total of 32,120 cases.

“OCR has been active in enforcing the medical privacy and data security rules under HIPAA. The problem is that HIPAA only covers healthcare providers, insurers and their contractors and no one else,” observed Dennis Melamed, editor and publisher of HIP/SA.

It is also important to remember that under the HIPAA complaint system, anyone can lodge a complaint – not only patients, Melamed noted. It is not uncommon for other organizations to file HIPAA complaints against other covered entities.

A fuller version of HIPAA and HITECH Act enforcement is forthcoming in the next issue of Health Information Privacy/Security Alert.

ABOUT HEALTH INFORMATION PRIVACY/SECURITY ALERT

Since 1997, Melamedia, LLC, a regulatory research and publishing company, has published Health Information Privacy/Security Alert, the healthcare industry's oldest independent publication devoted to the issues related to the confidentiality and security of health and medical data.

Katalin Sugar
Melamedia
+1 703-704-5665
email us here