In April 2003, the U.S. Department of Health and Human Services, or HHS, Office for Civil Rights, or OCR, began enforcing the Health Insurance Portability and Accountability Act, commonly known as HIPAA. Now, a decade later, we can look at how the rule is being applied.
Facts and figures
As of press time, HHS had received a total of almost 80,000 HIPAA complaints. Of those, more than 44,000 were dismissed, more than 19,000 were investigated and resolved with changes to privacy practice, and more than 9,000 were investigated and no violation was found. Investigations were conducted against many types of entities, including national pharmacy chains, major medical centers, group health plans, hospitals and small provider offices. According to HHS, private medical practices were the ones most often required to take corrective action as a result of enforcement, followed by general hospitals. With the exception of 2009, HIPAA complaints have been increasing annually. In 2011, there were more than 9,000 complaints received.
According to HHS, the compliance issues investigated most frequently are, in order:
Typically, complaints are resolved by the covered entity (i.e., hospital, pharmacy, health plan or medical practice) instituting new procedures to ensure patient privacy, training or retraining staff, censuring or dismissing staff, and making policy changes to protect electronic data. Often settlements also include monetary payments. Some recent examples of enforcement actions include the following:
Use caution with personal health information
To avoid HIPAA privacy issues, it’s wise to treat patient records as you would want your own private records treated. In other words:
Stay tuned for the next law column, which will cover frequently asked questions about the HIPAA privacy rule.
Ann W. Latner, JD, a former criminal defense attorney, is a freelance medical writer in Port Washington, N.Y.