OCR on HIPAA enforcement: 'We may have more fines in the future'

money

Covered entities and their business associates continue to struggle with HIPAA compliance, with the Health and Human Services Department's Office for Civil Rights (OCR) receiving almost 20,000 complaints a year, according to Iliana Peters, the agency's senior advisor for compliance and enforcement.

“People are very concerned [about] the privacy and security of their information,” Peters said Thursday at a conference co-hosted by OCR and the National Institute of Standards and Technology in the District of Columbia. OCR investigations also stem, not only from complaints, but also from breach notifications reported by covered entities as required by HIPAA, news reports, or information from other government agencies.

Some of the most common issues in enforcement that OCR is dealing with, she said, include:

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.
  • A lack of business associate agreements between business associates (BAs) and covered entities
  • Agreements that are not updated to include the requirements of the HITECH Act
  • Incomplete or inaccurate risk analyses
  • Failure to manage an identified risk or do so within a reasonable time frame
  • Lack of transmission security
  • Insider threats
  • Improper disposal of patient information
  • Insufficient data backup and contingency planning

Peters also noted that this year OCR has already resolved 12 matters, 11 by settlement agreement and one civil monetary fine, with recoveries of more than $20 million. In 2015 the totals were only $6.2 million. The settlement agreements, where entities pay far less so that the entity takes corrective action, are meant to be instructive to the industry. A fine, she said, is imposed when necessary.

“We may have more fines in the future,” Peters warned.

OCR will be providing more guidance to help entities and BAs, noted Deven McGraw, OCR’s deputy director for health information privacy, also speaking at the conference. The guidances will address, among other things, the distinction between a request for records from a third party versus from an individual patient, text messaging, sharing information with a patient’s friends and family, and social media.

McGraw also pointed out that the desk audits in Phase 2 of the HIPAA audit program are underway, but that the results were too early to share. Audits of BAs, she said, will begin in November.

Suggested Articles

Consumers could have saved billions in 2017 if price variation for certain services was addressed, according to a new report. 

Officials announced on Friday a proposal to remove healthcare protections for transgender patients and women seeking to terminate pregnancies.

The American Medical Informatics Association says ONC's proposed rule doesn't go far enough to put patients and providers in the driver's seat…