The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently released two annual reports regarding compliance with the Health Insurance Portability and Accountability Act (HIPAA) and provisions enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The reports indicate that HIPAA-related complaints continue to grow annually; however, OCR intends to focus its compliance efforts on “high-impact” cases unless it obtains additional funding. Additionally, the reports suggest that OCR is increasingly willing to impose significant penalties and seek large monetary settlements for HIPAA violations. Below we discuss the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, and in a separate post we address the annual report dealing with breaches.
Complaint Resolution. The report on covered entity compliance with the HIPAA Privacy, Security, and Breach Notification Rules indicates that the number of complaints alleging violations of HIPAA has continued to grow annually. While OCR lacks jurisdiction to investigate the majority of these complaints, about two-thirds of investigated cases result in OCR requiring corrective action or providing technical assistance.
In 2011 and 2012, OCR received the largest number of complaints alleging HIPAA violations of any calendar years until that point (9,022 and 10,454, respectively). OCR lacked jurisdiction over about 55% of the resolved complaints, investigated about 45% of resolved complaints, and provided technical assistance or required corrective action in over two-thirds of the complaints it investigated. These numbers reflect the overall resolution of HIPAA complaints received between April 14, 2003 (the compliance date of the HIPAA Privacy Rule) and December 2012. During that time, OCR received over 77,000 complaints and resolved 70,259 of these. Of the resolved complaints, 60% (42,793) were not actionable because there was no HIPAA violation or because the violation occurred before the compliance date. OCR investigated nearly 40% (27,466) of resolved complaints and required corrective action or provided technical assistance in 67% (18,559) of investigated cases.
Resolution Agreements and Imposition of Civil Monetary Penalty. In 2011 and 2012, OCR signed Resolution Agreements with seven entities, requiring them to pay a settlement amount and complete a corrective action plan. OCR pursues resolution agreements when it finds “noncompliance due to willful neglect, or where the nature and scope of the noncompliance warrants additional enforcement action . . . .” The 2011 and 2012 agreements resolved “high-impact” cases that OCR believes will result in substantial industry impact. Settlement amounts ranged from $50,000 to $1.7 million, and corrective action plans included features such as training employees, conducting risk analyses, and developing risk management plans.
In February 2011, the Department imposed the first civil monetary penalty (CMP) for violations of HIPAA. Of the $4.3 million CMP imposed on Cignet Health of Prince George’s County, Maryland, $1.3 million was based on the finding that Cignet had denied 41 patients access to their medical records; $3 million was based on the finding that Cignet failed to cooperate with the Department’s investigations “on a continuing daily basis” for roughly a year “due to Cignet’s willful neglect to comply with the HIPAA rules.”
Audit Activity. The Report discussed the HITECH Act’s requirement that the Department provide for periodic audits to ensure compliance with the HIPAA Privacy and Security Rules. OCR has completed an audit pilot project in which audit protocols were developed and tested and 115 audits of covered entities were conducted. Over 80% of audited entities had deficiencies related to the Privacy, Security, and Breach Notification Rules.
Future Enforcement Efforts. Based on the increased volume of HIPAA complaints, OCR expects to “work smarter” by resolving complaints through early intervention and technical assistance, rather than through investigation. OCR expects to focus resources on cases presenting serious allegations, pervasive compliance issues, and reviews of high-impact cases.