Privacy and Security Institute Gets Inside OCR Complaint Process

Privacy and Security Institute Gets Inside OCR Complaint Process

By Julie Dooling, MSHI, RHIA, CHDA, FAHIMA


Healthcare privacy and security experts converged at McCormick Place Sunday for the Privacy and Security Institute, an annual two-day event coinciding with AHIMA19. Iliana Peters, JD, LLM, CISSP, kicked things off Saturday with her general session presentation, “Updates from HHS OCR – What’s Your Favorite Regulator Done for You Lately?”

Peters, former deputy director of health information privacy at the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and shareholder for Polsinelli LLP, encouraged everyone to work within their healthcare organizations to respond to a December 2018 request for information on the HIPAA Privacy Rule Notice of Proposed Rule Making. Responding to these requests, she said, is “really important.”

Peters also described OCR’s complaint investigation process, from the initial complaint, through to the investigation, and finally resolution. According to Peters, OCR gets up to 20,000 complaints about privacy violations per year.

“While it may be cool for your teenager to post pictures of their X-rays online, it is not okay for his doctor to do so,” Peters said.

In regards to breaches, Peters indicated that OCR’s preference is always want to settle first with a corrective action plan.

“If there is a fine, they must walk away without the benefit of an action plan,” Peters said.

She noted that if there is a breach that affects over 500 individuals, which is the threshold for making the breach public on OCR’s consumer-facing website, there will be an investigation. When OCR receives a call or complaint, they first seek to confirm the receipt and contents of the report. This gives the organization alleged to have committed a breach an opportunity to correct any information that’s incorrect. Peters stressed that it’s important that the proper internal person be listed as a contact on the public-facing website so that they know how to respond to the breach if asked by members of the media or the public.

She shared OCR enforcement statistics noting that as of March 31, 2019 OCR has settled or imposed a civil money penalty in 63 cases resulting in a total dollar amount of $99,581,582.

Additionally, Peters noted that State Attorneys General are getting aggressive about data protection laws.

Recurring HIPAA compliance issues include:

  • Problems with business associate agreement noncompliance
  • Risk analysis
  • Failure to manage identified risk, such as insufficient encryption
  • Lack of transmission security
  • Lack of appropriate auditing
  • Failure to patch software
  • Insider threats
  • Improper disposal of information