Today I communicated with Sue Marquette Poremba at SC Magazine for an article she published this afternoon, “Proliferating HIPAA complaints and medical record breaches”
She had seen my blog posting from yesterday, “HIPAA Complaints And Associated Resolutions Since 2003” and asked me some follow-up questions.
Here is the full reply I sent to her, much of which she used within her article, but with some other points I want to note as well…
“I’ve been following HIPAA for many years. Prior to writing my book about HIPAA, “The Practical Guide to HIPAA Privacy and Security Compliance” I worked for 12 years at a healthcare insurer, and since leaving there 8 1/2 years ago I’ve done a lot of work with covered entities (CEs) of all types.
The protected health information (PHI) security and privacy goals of HIPAA, in spirit and intent, are good. The regulatory oversight of the HHS, however, has been completely underwhelming. The fact that they did not even do their first audit until last year despite having received 32,595 HIPAA complaints within the OCR (which is responsible for Privacy Rule oversight) since April 2003 is testimony to the OCR’s…actually the HHS’s in general…lack of due diligence for HIPAA Privacy Rule enforcement.
A somewhat positive sign was when the OCR contracted PwC last fall to perform 10 – 20 audits throughout the rest of 2007 and into 2008.
However, I have seen nothing more about these audits on the HHS sites.
The CMS (responsible for Security Rule compliance) has not even made any statistics available, that I could find, for the numbers of Security Rule complaints they’ve received since April 2005 (when compliance enforcement began for that rule).
The HHS lack of enforcement is in stark contrast to the much more active regulatory oversight activities of the Federal Trade Commission (FTC). Why is there such a disconnect between regulatory oversight activities? Why aren’t all these agencies required to meet a minimum level of due diligence with regard to enforcing the laws they have been tasked to enforce?
I continue to track and try and determine in what ways HIPAA compliance is being enforced. Lack of enforcement results in a significant portion of CEs being lackadaisical in their compliance efforts. The numbers of privacy breaches within CEs of all types continue to grow in numbers. The negative impacts to individuals as a result of these privacy breaches continues to grow; it is not just about “identity theft”, but with PHI it is about much more, including insurance fraud, physical crimes, and medical identity theft which can have devastating physical health impact results to patients.
The statistics provided about Privacy Rule complaints clearly show the numbers increasing on an annual basis. This is a result not only of the growing numbers of privacy breaches, and increasing use of new technologies, but also of the public’s growing awareness of the risks involved with PHI breaches, and the fact that CEs clearly have a law requiring them to protect PHI, but it is a law that is not being enforced.
I could find no explanation in the HHS/OCR report for the large numbers of unresolved HIPAA complaints. The information provided was almost purely statistical in presentation and there was very, very little explanation given to accompany the statistics. Yes, what happened to all these unresolved complaints? Possibly…
- They were carried over into the next year. If this is so, then it would impact how to translate their year-to-year statistics.
- They are still open complaints. If this is so, then this means that 7,059, or 22% of all complaints received, are still unresolved. Why is this acceptable? What is being done about these complaints? Have those who submitted the complaints been given any updates about them?
- They may have sent the “open” complaints over to the CMS to jointly resolve. However, if this was the case, they should have provided some statistics about this.
- They may have sent the “open” complaints over to the Department of Justice for investigation. However, again, if this was the case, they should have provided some statistics about this.
So, with regard to those 7,059 open complaints, it is a mystery, and they remain unaccounted for.
Is the Government Accountability Office (GAO) doing anything to look into this? Don’t know; I could find nothing on their site about this either.
It is also important to point out that the same four issues have been the top issues where complaints were received every single year:
- Impermissible Uses and Disclosures
- Safeguards
- Access
- Minimum Necessary
These categories of vulnerabilities are significant contributors to privacy breaches. These issues could all be addressed and mitigated through stronger compliance activities, more audits, and providing more, and better, compliance education outreach communications, materials and tools to CEs.
If HIPAA is to be effective, it must be strongly enforced, which means holding CEs accountable to be in compliance. The HHS must do something significant for noncompliance, such as applying fines or other types of penalties. Without compliance enforcement, the numbers of HIPAA complaints will continue to rise, and so will the privacy breaches within CEs continue to rise.”
Tags: awareness and training, CMS, HHS, HIPAA, Information Security, IT compliance, medical identity theft, OCR, policies and procedures, privacy, privacy breaches, privacy rule, risk management, SC Magazine, security awareness, security rule, security training