HIPAA: 43,691 Complaints and Counting
If you ever wonder what progress the Office for Civil Rights is making as it works its way through HIPAA privacy rule complaints, the numbers are easy to find. Each month OCR reports top-line results of the HIPAA cases it has received and resolved.
OCR has logged approximately 43,700 complaints since the privacy rule went into effect April 14, 2003. It has resolved 86 percent of them, and as of April 30 it had nearly 6,000 cases still on its to-do list.
OCR enforces the HIPAA privacy rule only. Enforcement of the security rule falls to the Centers for Medicare and Medicaid Services. Violations of either rule that involve possible criminal violations are referred to the Department of Justice. Through April 30 of this year, OCR had referred 456 cases to the DOJ and 306 cases to CMS.
Individuals filed 8,526 privacy complaints with OCR in 2008. This is up 4 percent from the previous year, and up 23 percent since 2004, the first full year of the rule.
OCR reviews all complaints, but not all require investigation. In 2008 the office resolved 9,280 complaints, of which 36 percent warranted an investigation. Of those, 2,210 resulted in corrective action. No violation was found in the remaining 1,163 cases.
This breakdown largely reflects past history. Since 2005 approximately one-third of complaints have required investigation. Approximately two-thirds of investigations have resulted in corrective action.
Improper use and disclosure of protected health information has been the leading compliance violation since 2004. The following three issues have not changed, either. They are, in order: lack of safeguards for protected health information, lack of patient access, and use or disclosure of more than the minimum necessary information. The fifth spot has alternated among issues related to amendments, notices, mitigation, and authorization.
Private practices lead the list of covered entity types that have been required to take corrective action. General hospitals follow.