HIPAA & Breach Enforcement Statistics for December 2013
Dec. 17, 2013
New Webinar on CD
OCR Posts 38 Breaches in One Month; BAs Involved in 1
Health data breaches involving more than 500 patients rose to 720 from 682 as OCR posted 38 new cases, according to a HIP/SA analysis of OCR data from Oct. 18 through Nov. 17.
The number of patients affected by all major breaches was 27,771,823 compared to 26,937,427 in the previous month.
Theft was the leading reason for breaches, accounting for 326 by itself and implicated in more than 40 other cases. Unauthorized access/disclosure accounted for 119 breaches by itself and was implicated in at least another 40 instances.
Business Associates were involved in 157 breaches, indicating that they were involved in only one of 38 newly posted breaches
A fuller analysis of the health data breaches is available in Health Information Privacy/Security Alert.
CD Now Available
HIPAA Complaints Plummet in October
OCR reported it received 87,597 complaints, suggesting that it received 876 HIPAA complaints in October. That represented a dramatic decrease from the 1,482 received in September as well as the 1,117 received in August.
Of the 31,639 HIPAA complaints that fell within OCR's jurisdiction, 21,832 required corrective actions by covered entities (CEs). The low number may reflect the effects of the government shutdown as OCR personnel may not have been available to pursue action.
An analysis by HIP/SA found that the agency determined that 69 complaints required CE action in October compared to 492 in September and 597 in August, which also suggested that the government shutdown may have played a role.
Investigations of the remaining 9,807 complaints within OCR's jurisdiction found no violation.
Overall, about 26.4% of total complaints resulted in some corrective action by CEs. That was the same percentage as in September.
OCR's numbers indicated that it had 4,899 in some phase of the investigative process in October, compared to 4,516 in September and 7,102 in August.
OCR referred more than 520 cases to the Justice Department for possible criminal prosecution, indicating it made no referrals in October, two referrals in September and no referrals in August.
Referrals for criminal prosecution do not necessarily mean the Justice Department will act. Often, these decisions are left to the U.S. Attorneys in whose jurisdictions action may be required. The U.S. attorneys typically determine where to put their prosecutorial resources.
The agency recently revealed that the Justice Department had agreed to pursue 54 of the referrals since OCR started the complaint system in April 2003.
.The privacy areas investigated most often were:
OCR released a memo to the public reminding them and the healthcare community, that patients are entitled to access to their medical records at reasonable costs.
The most common types of covered entities that had to take corrective action were:
Special Subscription Offer from Health Information Privacy/Security Alert
Save 50% on an Annual Subscription
for a complete list of webinars
OCR Security Stats
OCR said it received 759 complaints alleging a security rule violation since it took over security enforcement from CMS in October 2009.
Of particular note is that the HITECH Act breach notification rules have generated more than 80,000 reports of breaches affecting more than 900,000 patients since September 2009. However, OCR does not investigate all of these breaches.
The agency statistics suggested it received nine new complaints in October compared to 12 in September and 10 in August.
The agency said it closed 573 complaints after investigation and corrective action. That suggested that the agency closed four in October compared to 26 cases in September and three in August.
HIPAA Transactions Standards
|TRANSACTIONS STANDARDS COMPLAINTS|
Complaints Received by CMS
Through July 31, 2013
|Transaction and Code Sets||791||18||773|
|National Provide Identifier||61||0||60|
|No Civil Penalties Imposed|
Open –Outstanding issues remain. Entity may be under a corrective action plan or additional information from either the complainant, the filed against entity, or both is being sought.
© 2013 Melamedia LLC