Government Health IT published an interesting report today, “Most privacy complaints are not investigated.”
From the article:
“The Department of Health and Human Services investigated less than 25 percent of 22,964 privacy complaints submitted to HHS‚Äô Office for Civil Rights (OCR) from April 2003 through September 2006”
This was according to the newly released “3rd Annual Review of Medical Privacy and Security Enforcement” from Melamedia LLC. The full report costs $260.
Fine…I’ll continue reading the free published report about the full study report…
“Melamedia found that of the 5,400 complaints investigated ‚Äì all of which were filed against health care organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) ‚Äì OCR officials took informal action in 3,700 cases. Officials absolved the accused health care organizations in 1,700 others.”
The authors raised their own questions about why so few complaints have been investigated.
I’m also disappointed in the enforcement efforts, but not surprised. Over the past couple of years I’ve been doing business partner and vendor security program reviews for some of my clients, and some of those partners have been state agencies. An interesting, and for reasons amazingly unknown by the folks I’ve spoken to in the OCR and CMS enforcement offices, exemption to having business associates agreements under HIPAA are those state agencies who fall under the Medicare Modernization Act (MMA). (A long story that would be good to discuss in another blog posting, or perhaps white paper.) Related to this, I have spoken at length with several of the folks in each of the CMS and OCR enforcement offices about when they pursue compliance investigations. Both offices they told me that basically, unless an actual incident had occurred, they would probably not investigate a complaint.
Huh?
Yes, a federal law implemented to help protect patient information, but which is apparently being begrudgingly enforced by those given that responsibility.
With the new False Claims Act Guidelines coming into play with HIPAA enforcement, which I blogged about recently , I wonder if enforcement activities will increase?
The most significant way to make HIPAA effective is by consistent and active enforcement. Too many covered entities are now shrugging off their compliance requirements knowing that the likelihood of receiving resulting fines and penalties is nil based upon the number of fines and penalties applied by the OCR and CMS on behalf of the Department of Health and Human Services (HHS)…nil.
Tags: awareness and training, CMS, False Claims Act, HIPAA, Information Security, IT compliance, OCR, patient privacy, policies and procedures, privacy