The HHS Office for Civil Rights (OCR) reported it received 74,554 complaints, suggesting that it received 878 complaints in September, a drop of 114 complaints (992) complaints in August. It received 835 complaints in July. Although there was a significant drop, the rate of complaints appears to remain well over 800 on a monthly basis.
Of the 26,513 HIPAA complaints that fell within OCR’s jurisdiction, 17,767 required corrective actions by covered entities (CEs).
An analysis by HIP/SA found that the agency determined that 345 HIPAA complaints required action by covered entities in September compared to 397 complaints in August. In July, 317 complaints required action by covered entities.
The September statistics continued to indicate that OCR investigations are more likely to lead to CE corrective action than prior to the HITECH Act, and that the agency is consistently receiving a higher number of complaints compared to levels before the health data breach notification law.
The remaining 8,746 complaints within OCR’s jurisdiction found no violation.
The agency said it had resolved more than 91% of all the complaints it had received. However, that statistic included a large number of complaints (41,583) that did not fall within HHS’s jurisdiction. OCR’s numbers suggested that it has 6,458 complaints in some phase of the investigative process. In August, It had 6,503; and in July it had 6,373.
Overall, about 26% of total investigated HIPAA privacy complaints resulted in some corrective action by CEs.
OCR referred more than 502 cases to the Justice Department for possible criminal prosecution. That indicated the agency made no referrals for criminal prosecution in September, August, July or June. It made two referrals in May.
The Justice Department has not calculated how many of the referrals have resulted in action or how many had been returned to OCR. However, the Justice Department has shown more interest in using HIPAA as a criminal enforcement tool as the FBI and federal prosecutors become more comfortable with the law – particularly after the HITECH Act clarified that the criminal penalties do apply to individuals and not only to covered entities.
The privacy areas investigated most often were:
- Impermissible uses and disclosures of protected health information (PHI);
- Lack of safeguards of PHI;
- Lack of patient access to their PHI;
- Uses or disclosures of more than the Minimum Necessary PHI; and
- Lack of administrative safeguards of electronic PHI.
OCR released a memo to the public reminding them and the healthcare community, that patients are entitled to access to their medical records at reasonable costs.
The most common types of covered entities that had to take corrective action to get into compliance were:
- Private Practices;
- General Hospitals;
- Outpatient Facilities;
- Health Plans; and