Despite a proliferation of healthcare breaches and warnings from the Office of Civil Rights that it plans to crack down on organizations that don't effectively protect patient data, far too few organizations have been fined for it, according to research from ProPublica.
Since October 2009, healthcare entities and their business associates have reported more than 1,140 large breaches to OCR, affecting more than 41 million people. They've also reported more than 120,000 smaller incidents affecting fewer than 500 people each.
During that time, OCR levied fines just 22 times, according to the article. OCR declined to be interviewed for the ProPublica article, but a spokeswoman said by email that those cases in which fines were levied "have involved systemic and/or long-standing" concerns.
An OCR attorney told an American Bar Association conference last June that the fines levied for HIPAA violations over the year prior would "pale in comparison" to the following 12 months. Those fines included nine settlements that totaled more than $10 million, such as a record $4.8 million fine announced in May 2014 against New York-Presbyterian Hospital and Columbia University.
Even so, OCR entered into just six resolution agreements in 2014, up from five in 2013, FierceEMR's Marla Durben Hirsch writes in predicting that the Anthem breach, which exposed information for nearly 80 million people, still won't be the industry's wakeup call.
In light of the Anthem breach, however, lawmakers are reviewing HIPAA and said they will consider making encryption mandatory.
The Office of the National Coordinator has repeatedly been chastised for not protecting patient data better and for not conducting audits required in the HITECH Act. No start date has been announced for the permanent HIPAA audit program, which was supposed to start in 2014. Even when it begins, it's slated to audit only 800 covered entities and 400 business associates for HIPAA compliance.
State attorneys general have the power to enforce HIPAA, too, but rarely do. New York regulators did not impose any sanctions against a hospital in which a man's treatment and death were filmed and shown on a reality TV show without the family's permission.
To learn more:
- find the ProPublica article