The U.S. Health Insurance Portability and Accountability Act (HIPAA) has required compliance from covered entities (CEs) since 2003. The Department of Health and Human Services (HHS) is the Federal agency with regulatory oversight for compliance; with the Office of Civil Rights (OCR) responsible for Privacy Rule enforcement and the Centers for Medicare and Medicaid Services (CMS) responsible for Security Rule enforcement. Why two different offices to perform enforcement activities? No good reason was ever given.
I was just out looking on the HHS’s HIPAA compliance and enforcement site.
On May 12, 2008, they provided some interesting statistics from their enforcement activities from the past 5 years. Looks like they love Excel and the graphing capabilities! 🙂 I want to share some of the statistics with you…
- Over the last five years, the OCR “resolved” 25,536 complaints out of 32,595 complaints received, from April 14, 2003 through December 31, 2007, alleging violation of HIPAA.
- The greatest number of those resolutions, 16,528 or close to 65% of all resolved cases, happened after completion of the initial intake and review stage.
- In cases that were referred for further investigation and review the OCR took “corrective action” 6,418 times and found “no violation” 2,690 times.
- The agency has not imposed civil money penalties on any CE (providers, payers, and clearinghouses) as a result of corrective action it has taken during this period.
On a year-to-year basis:
- In 2007, OCR received 8,132 complaints and resolved 7,176 cases; 4,977 cases were resolved after intake and review; corrective action was taken on 1,484 cases; and no violation was found with 715 cases.
- In 2006, OCR received 7,332 compliants and resolved 6,467 cases; the agency resolved 4,001 cases after intake and review; a total of 1,571 cases resulted in corrective action; and no violation was found with 895 cases.
- In 2005, OCR received 6,853 complaints and resolved 5,621 cases; 3,818 were resolved after intake and review; the agency took corrective action in 1,161 cases; and found no violation in 642 cases.
- In 2004, OCR received 6,534 complaints and resolved 4,764 cases; 3,372 cases were resolved in intake and review; the agency took corrective action in 1,033 cases; and found no violation in 359 cases.
- In 2003, the agency received 3,744 complaints and resolved 1,508 cases; 260 were resolved in intake and review; OCR took corrective action in 1,169 cases; and found no violation in 79 cases.
Resolution of Investigated Cases
- In 2007, OCR investigated 2,199 complaints. 67% resulted in corrective action and 33% were found to have no violation.
- In 2006, OCR investigated 2,466 complaints. 64% resulted in corrective action, and 36% were found to have no violation.
- In 2005, OCR investigated 1,803 cases. 64% resulted in corrective action, and 36% were found to have no violation.
- In 2004, OCR investigated 1,392 complaints. 74% were resolved with corrective action, and 26% had no violation.
- In 2003, beginning on the effective date of April 14, the agency investigated 339 cases, with 77% resulting in corrective action, and 23% found to have not committed a violation.
Looking through all of these, the numbers don’t add up. For example, in 2007:
- # of complaints received = 8,132
- # of compliants resolved = 7,176
- # of complaints UNresolved = 956
What happens to all the unresolved complaints? Do those get flagged for an audit? For further investigation? For fines/penalties? Get carried over to the next year? Do they fall into a black hole?
I thought perhaps their flowchart that shows the complaint process might help do explain. But no, it really does not.
It is noteworthy that the number of complaints is steadily rising each year…along with the numbers of privacy breaches and medical identity theft incidents…and general awareness of these issues by the public.
Tags: awareness and training, CMS, HHS, HIPAA, Information Security, IT compliance, medical identity theft, OCR, policies and procedures, privacy, privacy breaches, privacy rule, risk management, security awareness, security rule, security training