HIPAA Regulatory Alert

HHS launches web site on HIPAA privacy compliance

Provides information on corrective actions taken

To coincide with the fourth anniversary of enforcement of the HIPAA Privacy Rule, the Department of Health and Human Services (HHS) launched a new web site to provide information about how it enforces health information privacy rights and standards compliance.

The web site (www.hhs.gov/ocr/privacy/enforcement) describes HHS activities in enforcing the Privacy Rule, the results of those enforcement activities, and statistics showing which types of complaints are received most frequently and the types of entities most often required to take corrective action as a result of consumer complaints.

As of May 31, HHS and its Office of Civil Rights (OCR) had investigated and resolved more than 4,732 cases by requiring changes in privacy practices and other corrective actions by the covered entities.

In another 2,282 cases, HHS found no violation had occurred. In the rest of the 14,787 completed cases, HHS determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. These include cases in which:

  • OCR lacks jurisdiction under HIPAA — such as a complaint alleging a violation prior to the compliance date or alleging a violation by an entity not covered by the Privacy Rule;
  • the complaint is untimely, or withdrawn or not pursued by the filer; or
  • the activity does not violate the rule, such as when the covered entity has disclosed protected health information in circumstances in which the rule permits such a disclosure.

The compliance issues investigated most frequently were, in order of frequency: impermissible uses and disclosures of protected health information; lack of safeguards of protected health information; lack of patient access to their protected health information; uses or disclosures of more than the minimum necessary protected health information; and lack of or invalid authorizations for uses and disclosures of protected health information.

The most common types of covered entities that have been required to take corrective action are, in order of frequency: private practices, general hospitals, outpatient facilities, health plans (group health plans and health insurance issuers), and pharmacies.

OCR refers to the Department of Justice for criminal investigation-appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the rule. As of the date of its summary, OCR had made more than 400 such referrals to DOJ.

OCR refers cases that describe a potential violation of the HIPAA Security Rule to the Centers for Medicare & Medicaid Services (CMS). As of the May 31 date of the summary, OCR had made more than 171 such referrals to CMS. In the referred cases that describe potential violations of both the HIPAA Privacy and Security Rules, OCR and CMS coordinate the investigations.

HHS says it also obtains privacy compliance through outreach and education efforts. OCR has reached hundreds of thousands of covered entities and consumers through educational conferences, a toll-free call line, and an interactive web site.