Bookmark and Share

HIPAA & Breach Enforcement Statistics for September 2014

Produced by Health Information Privacy/Security Alert
Published by Melamedia, LLC

Bookmark and Share  

New Webinar on Demand
Defending Your Organization's Name In the World of HIPAA
July 23, 2014

Our Webinars
 on CD

Webinars Qualify for IAPP CEs

New On-Demand Webinar
Learn What Class Action Attorneys Look for in HITECH Breaches
May 1, 2014

Confronting HIPAA & HITECH Vulnerabilities in Health Data Registries
Feb. 27, 2014
Order On-Demand Access

HIPAA/HITECH Compliance & FDA's Mobile Medical Apps Guidance
Oct. 30, 2013
Listen to a Sample

Special Offer
Don't Act Rashly in Punishing Security Violations!
Special Offer
3-Part Series: Domino Effects of HIPAA & HITECH on the Workforce

2-Part Webinar Package
Cutting Through the Hype On HIPAA & HITECH Enforcement
Save More than $100 When You Order Both CDs

The Effects of the Supreme Court Rulings on Same-Sex Marriage on Patient Rights, and HIPAA and HITECH Compliance Aug. 13, 2013

Listen to a Sample

Understanding & Deploying OCR's New Data De-Identification Guidance
Jan. 17, 2013

Understanding & Coping with the New HITECH Regulations - 2 Part Webinar Series
February 2013

A Strategic Approach to Protecting Yourself from HIPAA Audits
Oct. 2011


3-Part Series: Domino Effects
of HIPAA & HITECH  on the Healthcare Workforce

July, Aug. & Sept. 2012

Theft Continues to Lead the Way for HITECH Breaches

Overview of BA Breaches
 As of Aug. 17, 2014
136 Theft
50 Unauthorized Access/ Disclosure
29 Other
27 Hacking/IT Incident
22 Loss
Source: Health Information Privacy/Security Alert  Analysis of  HHS Office for Civil Rights Data

Health data breaches involving more than 500 patients rose to 1,083 from 1,065 as OCR posted 18 new incidents affecting more than 1,623,197 patients, according to the latest analysis by HIP/SA of OCR data from July 18 through August 17. More than 33,773,557 patients have been affected overall since OCR started publishing data.

Business Associates (BA) may have been involved in as many as 310 incidents, which suggests BAs were involved in five of the 18 newly listed incidents.

However, that number is uncertain because the OCR statistics do not indicate whether a Business Associate was involved in at least two dozen instances.

Theft was the leading cause of all reported breaches, accounting for 552 by itself and involved in more than 52 other instances. Unauthorized Access/Disclosure accounted for 153 incidents by itself as well. It was involved in more than 58 incidents as well.

A fuller analysis of the health data breaches is available in Health Information Privacy/Security Alert.

Take advantage of a special offer for a one-year e-subscription to Health Information Privacy/Security Alert click here

HIPAA Complaints Plummet in June

OCR reported it received 98,279 HIPAA patient complaints as of June 30 and since the agency began enforcing the privacy rule in April 2003.

The number indicated that the monthly number of patient complaints filed with OCR plummeted to 577 in June from the 2,114 it received in May. It received 1,143 complaints in April.

Of the 32,958 complaints that fell within OCR's jurisdiction since April 2003, 22,706 required corrective action by covered entities (CEs).

Investigations of the remaining 10,252 complaints within OCR's jurisdiction found no violation. That meant that 60 complaint investigations did not uncover a HIPAA violation in June.

OCR said it resolved 95% of all the complaints that it had received since April 2003. That resolution level also included a very large number of complaints (60,277)) that did not fall within OCR's jurisdiction.

Almost two-thirds of patient complaints lodged with OCR fall outside the agency's jurisdiction.

The privacy areas investigated most often were:

  • Impermissible uses and disclosures of protected health information (PHI);
  • Lack of safeguards of PHI;
  • Lack of patient access to their PHI;
  • Uses or disclosures of more than the Minimum Necessary PHI; and
  • Lack of administrative safeguards of electronic PHI.

OCR Security Stats

OCR said that as of June 30, it received 901 complaints alleging a security rule violation since it took over enforcement from CMS in October 2009. The agency statistics suggested that it received 21 complaints in June. It received 21 In May and 21 in April.

The agency said it closed 658 after investigation and corrective actions taken by CEs as of June 30. That indicated that the agency closed 14 cases in June. It closed 25 cases in May and 14 cases in April.

HIPAA Transactions Standards
CMS Did Not Update Stats Since January 2014

Complaints Received by CMS
Through Jan. 31, 2014
Complaint Type Total Open Closed
Transaction and Code Sets 808 21 787
National Provide Identifier 62 0 62
Total 870 21 849
No Civil Penalties Imposed

Open –Outstanding issues remain. Entity may be under a corrective action plan or additional information from either the complainant, the filed against entity, or both is being sought.
Closed–No further action required. All issues have been sufficiently resolved.

  Source: CMS

© 2014 Melamedia LLC

HIPAA & Breach Enforcement Stats

White Paper
Did HITECH Increase HIPAA Patient Complaints?
HIPAA/HITECH Act Enforcement 2003-2013:
The Role of Patient Complaints in Medical Privacy and Data Security

The Ripple Effects of HHS Proposed Requirements
for Accounting of Disclosures



The Nuts & Bolts of Insurance & Covering
The Costs of Health Data Breaches

Aug. 2010

Visit our
Education Page
for a complete list of webinars