Enforcement of HIPAA is changing

There are many indicators that make us believe that we will see a distinct uptick in OCR enforcement activity.  The last two OIG reports say OCR isn’t doing enough, the news points out issues with enforcement, and even Congress is getting in the mix. In this episode, we discuss why this makes us think you don’t want to wait around to see IF OCR starts doing anything differently.


Enforcement Major Point in 2015 OIG Report

The latest OIG report does say they are investigating large breaches and they note: in almost all of the closed large-breach cases, it determined that covered entities were noncompliant with at least one HIPAA standard

The 2015 report says that OCR should:

  1. Enter small-breach information into its case-tracking system or a searchable database linked to it;
  2. Maintain complete documentation of corrective action;
  3. Develop an efficient method in its case-tracking system to search for and track covered entities that reported prior breaches;
  4. Develop a policy requiring OCR staff to check whether covered entities reported prior breaches; and
  5. Continue to expand outreach and education efforts to covered entities. OCR concurred with all five recommendations and described its activities to address them.

Special shout out to HIPAA Journal.  We really appreciate what you guys do over there!

Enforcement Miscues Making in the News

Recent NBC report showing the fax number issues that APS Marketing Group in Brooklyn dealt with this year.  The company started receiving faxes containing the medical information of patients from a medical clinic in April, 2015 intended for Quest Diagnostics.  Eventually they were receiving faxes were coming from multiple facilities directed to Quest.

This had been going on for months with hundreds of patient records containing Quest lab request information ending up in the company’s faxes received.

The company contacted Quest who said they would try to fix it. But, faxes kept coming.

Next, they reported to HHS and they said it would get it resolved. But, faxes kept coming.

Next, they called OCR and was told it was closed.

Finally, they called in a reporter and a local New York news station started reporting on the issue. Now, that did the problem get solved.

Enforcement Questions from Senators

Senators asking HHS / OCR / CMS for answers to all the issues with breaches.

Medicare/Medicaid programs budget approximately $98 billion each year to cover the cost of medical identity theft corresponds to 10% of the programs’ annual budgets

The letter asks:

    • What the CMS and HHS is doing to monitor medical identity fraud
    • What is CMS and/or the OCR is actually doing anything to track cases of ID theft and fraud
      OCR uses the data collected from covered-entities to monitor potential breach victims and find out if their data have in fact been used by criminals
    • They also want to know whether any education materials or help are offered to breach victims by the CMS and OCR

A response was requested by November 24.  As of the release of this podcast we can’t find information relating to any response that has been provided from HHS on this request.

One last note

It appears people just don’t expect their data to be protected at all.  Even when it is required by law.  A new survey conducted by the University of Phoenix College Health Professions School indicates that patients do not trust their healthcare providers to keep data secure. Over 2,000 adults were asked about the security of their health data, and 83% of adults over the age of 50 expressed concern about the vulnerability of their data. The younger generation were less concerned, although 72% of that age group also expressed concern. Overall, 76% of respondents said they were concerned about the ability of their healthcare providers to prevent their data from being exposed in cyberattacks. Interestingly, when asked about the sharing of health data, 55% said they were somewhat comfortable or very comfortable, but 45% said they were not.


[button_1 text=”Discuss%20In%20The%20Forums” text_size=”30″ text_color=”#ffffff” text_font=”Helvetica;default” text_bold=”Y” text_letter_spacing=”0″ subtext_panel=”N” text_shadow_panel=”Y” text_shadow_vertical=”1″ text_shadow_horizontal=”0″ text_shadow_color=”#000000″ text_shadow_blur=”0″ styling_width=”40″ styling_height=”36″ styling_border_color=”#bd3f00″ styling_border_size=”1″ styling_border_radius=”10″ styling_border_opacity=”100″ styling_gradient_start_color=”#ff5500″ drop_shadow_panel=”Y” drop_shadow_vertical=”5″ drop_shadow_horizontal=”0″ drop_shadow_blur=”0″ drop_shadow_spread=”0″ drop_shadow_color=”#bd3f00″ drop_shadow_opacity=”100″ inset_shadow_panel=”Y” inset_shadow_vertical=”0″ inset_shadow_horizontal=”0″ inset_shadow_blur=”0″ inset_shadow_spread=”1″ inset_shadow_color=”#ffffff” inset_shadow_opacity=”25″ align=”center” href=”https://www.hipaaformsps.com/community/index.php”/]