The Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) is the federal agency tasked with enforcing the Health Insurance Portability and Accountability Act (HIPAA). HIPAA, as most folks reading this know, requires health care providers and other covered entities to protect the privacy and security of an individual’s protected health information (PHI). OCR has broad enforcement authority and wide latitude in deciding how to handle complaints alleging violations of HIPAA’s privacy, security, and breach notification rules. OCR can resolve a complaint privately and informally, as it does in many instances. However, OCR also has the authority to impose fines of up to $50,000 per violation, with an annual maximum of $1.5 million. In the most egregious cases, OCR can seek criminal charges against violators. According to a privacy advocate’s evaluation of federal and state public records, although OCR receives thousands of complaints a year (almost 18,000 in 2014 alone), it imposes few financial penalties – less than 30 violators have agreed to pay fines since 2009 according to OCR public records.
Many HIPAA violations each year are committed by repeat offenders. Organizations with the most HIPAA violations are large health care providers, laboratories and pharmacies with numerous locations that serve millions of patients each year. In fact, the U.S. Department of Veterans Affairs has been one of the biggest offenders. Privacy advocates suggest that the OCR has been too lenient in its enforcement efforts and that the sheer number of violations by these repeat offenders signal organizational failures that require more strict enforcement and punitive action by OCR to gain compliance.
Deputy Director for Health Information Privacy at OCR Deven McGraw has stated that the agency’s top priority is investigating “large breaches” that affect at least 500 people, but that OCR needs to do more to curb HIPAA violations by repeat offenders . McGraw largely blames the agency’s case management system as an impediment. This is consistent with two reports issued in late 2015 by the Department of Health and Human Services (HHS) Inspector General that fault the OCR’s case-tracking system for its inability to proactively track repeat offenders.
The studies also identified other inadequacies in policy and procedure that contributed to the inability to adequately track and address repeat violations, including:
- OCR does not enter information related to small breaches (affecting less than 500 people) in its case-tracking system, which limits its ability to track covered entities with multiple small breaches;
- 26 percent of all large breach complaints investigated by OCR had incomplete documentation related to corrective action taken by the covered entity;
- Nearly 30 percent of investigators rarely or never checked in the case-tracking system whether the covered entity had any previous large breaches; and
- OCR did not have a standard way to enter covered entities’ names in the case tracking-system, limiting investigators’ ability to search and identify repeat offenders while investigating a complaint.
The HHS Inspector General recommended that OCR should (1) begin tracking all breaches in its case-tracking system, not just the large breaches; (2) maintain complete documentation of corrective action; (3) develop an efficient method in its case-tracking system to search for and track covered entities that reported prior breaches; (4) develop a policy to require OCR staff to check whether covered entities reported prior breaches; and (5) continue to expand outreach and education efforts to covered entities. OCR concurred with all recommendations.
OCR claims it is taking steps to fix the problems identified in the studies. Public pressure on the agency to address repeat offenders that continue to violate HIPAA with little consequence is intensifying. As a result, we expect that OCR will be more aggressive in the future responding to complaints, particularly for repeat offenders. We also anticipate that the use of fines and other punitive measures will become more widespread. The fact that the Federal Trade Commission (FTC) also continues its separate efforts to investigate and enforce health care data breaches as “unfair” acts or practices under Section 5(a) of the Federal Trade Commission Act (FTC Act), despite dismissal of the FTC’s complaint against LabMD for a possible data breach of 1,718 patients’ insurance claim information, (DataPoints: Reading the Section 5(a) Tea Leaves: What the end of 2015 may suggest about the FTC priorities in 2016), means that covered entities must be even more vigilant about healthcare data, given anticipated regulatory enforcement from both OCR and FTC.