| HIPAA & Breach Enforcement
Statistics for May 2013
Produced by Health Information
Privacy/Security Alert |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Special Subscription Offer from Health Information Privacy/Security Alert Save 50% on an Annual Subscription or Subscribe for 6 Months for only $99 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Our Webinars Understanding & Coping with the New HITECH Regulations - 2 Part Webinar Series Understanding & Deploying OCR's
New Data De-Identification Guidance 9th Annual Review of Medical Privacy and Data Security Enforcement Managing Mobile Medical Apps for HIPAA & HITECH Act Compliance Nov. 27, 2012 |
OCR Receives 79,000 Reports fo Small Breaches;
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Breaches Involving Network Services As of April. 17, 2013 |
|
| # of Breaches | Reason for Breach |
| 17 | Hacking/It Incident |
| 12 | Theft |
| 11 | Unauthorized Access/Disclosure |
| Source: Health Information Privacy/Security Alert Analysis of HHS Office for Civil Rights Data | |
When HITECH required breach reporting, there was an expectation that patient HIPAA complaints would increase after Sept. 23, 2009, when covered entities were required to report incidents affecting more than 500 patients after that date.
More complaints also were expected because of requirements to notify patients of breaches affecting fewer than 500 patients as well. As of April 15, there have been 79,000 reports of small breaches.
While the number of HIPAA privacy complaints has risen generally; the breach reporting has not had a significant affect, according to OCR Deputy Director Sue McAndrew. Presenting at the April 17 Melamedia webinar, A Decade of HIPAA Enforcement, McAndrew observed that few patient complaints are resulting from the federal breach reporting rules, although the agency has received an occasional complaint generated by state breach notification rules.
She suggested that covered entities may be doing a good job of explaining the breaches and their implications to patients. In turn, patients have felt little need to submit a HIPAA privacy complaint.
Meanwhile, health data breaches involving more than 500 patients rose to 571 from 543 as OCR posted 28 new breaches, according to a HIP/SA analysis of agency data from March 18 through April 17. The number of affected patients of the major breaches rose modestly to 21,744,113 from 21,516,294.
BA's were involved in 11 of the 28 newly reported breaches.
The full analysis of the health data breaches is available in Health Information Privacy/Security Alert.
Take advantage of a special offer for a one-year e-subscription to Health Information Privacy/Security Alert. click here
CD Now Available
A Decade of HIPAA Enforcement
How We Got Here & Where We're Going
April 17, 2013
Funds that OCR receives from its resolution agreements are plowed back into enforcement, OCR Deputy Director Sue McAndrew said in an April 17 Melamedia webinar. The sequestration may affect the agency's appropriation from Congress, but the funds from the fines and penalties are treated differently.
That arrangement could provoke fears that the agency may try to offset sequestered funds with more penalties. However, that is unlikely, in part, because if OCR demonstrates that it can survive off fines in some fashion, Congress is likely to cut its annual appropriations further.
Even more significantly, such a strategy could compromise public support for the enforcement effort.
Meanwhile, OCR reported it received 79,920 complaints, suggesting that it received 1,049 complaints in March. It received 994 in February after receiving 686 in January. The statistics suggest that OCR is finding more problems with CEs in recent months.
OCR stated recently that the higher levels of enforcement were not attributable to increased breach reporting under HITECH.
Of the 27,973 HIPAA complaints that fell within OCR's jurisdiction, 19,306 required corrective actions by covered entities (CEs).
An analysis by HIP/SA found that the agency determined that 379 complaints required CE action in March compared to 216 in February and 152 in January.
The remaining 9,146 complaints within OCR's jurisdiction found no violation.
The agency said it had resolved more than 91% of all the complaints that it had received. However, that statistic included a large number of complaints (44,118) that did not fall within HHS's jurisdiction.
OCR's numbers indicated that it had 7,350 complaints in some phase of the investigative process in March compared to 7,316 complaints in February and 7,077 in January.
Overall, about 26.6% of total complaints resulted in some corrective action by CEs.
OCR referred more than 515 cases to the Justice Department for possible criminal prosecution. That indicated the agency made one referral in February. It made five referrals in January and six referrals in December.
.The privacy areas investigated most often were:
OCR released a memo to the public reminding them and the healthcare community, that patients are entitled to access to their medical records at reasonable costs.
The most common types of covered entities that had to take corrective action were:
Subscribe
to
HIPAA & Breach Enforcement Stats
3-Part Series: Domino Effects
of
HIPAA & HITECH on the Healthcare Workforce
July, Aug. & Sept. 2012
The
Implications of Stage 2 Meaningful Use
for HIPAA Privacy & Security
Sept. 2012
The Ripple Effects of HHS Proposed Requirements
for Accounting of Disclosures
July 2011
Patient Data Stewardship in the New World of ACOs
May 2011
The Nuts & Bolts of Insurance & Covering
The Costs of Health Data Breaches
Aug. 2010
Save 50% on an Annual Subscription
& Get Any One of Our Webinars on CD for Free
Get Additional Webinars for only $69 each.
or Subscribe for 6 Months for only $99
Download the Order Form
visit Melamedia's Education Page
for a Complete List of Eligible Webinars
| PRIVACY | ||||||||
| HIPAA Complaints Lodged with OCR Through March 31, 2013* |
||||||||
|---|---|---|---|---|---|---|---|---|
Month |
Monthly |
Running Total* |
Cases Under OCR Jurisdiction |
Cases Requiring CE |
Cases Requiring No CE Action |
% Required CE Action of Total Lodged Complaints |
Cases Referrals to DoJ |
Running Total for DoJ* |
2010 |
||||||||
November |
635 | 56,754 | 18,836 | 12,336 | 6,500 | 21.7% | 1 | 483 |
December |
621 | 57,375 | 19,161 | 12,573 | 6,588 | 22% | 0 | 483 |
2011 |
||||||||
January |
774 | 58,119 | 19,460 | 12,781 | 6,679 | 22% | 1 | 484 |
February |
792 | 58,911 | 19,787 | 13,003 | 6,784 | 22% | 3 | 487 |
March |
834 | 59,745 | 20,200 | 13,294 | 6,906 | 22.25% | 4 | 491 |
April |
805 | 60,550 | 20,200 | 13,503 | 7,022 | 22.3% | 1 | 492 |
May |
783 | 61,333 | 20,877 | 13,745 | 7.132 | 22.4% | 1 | 493 |
June |
783 | 62,039 | 21,214 | 13,972 | 7.241 | 22.5% | 0 | 493 |
July |
706 | 62,708 | 21,430 | 14,105 | 7.325 | 22.5% | 1 | 494 |
August |
735 | 63,443 | 21,749 | 14,309 | 7.440 | 22.6% | 0 | 494 |
September |
683 | 64,126 | 22,075 | 14,527 | 7.548 | 22.6% | 1 | 495 |
October |
915 | 65,041 | 22,407 | 14,768 | 7.639 | 22.7% | 3 | 498 |
November |
874 | 65,915 | 22,650 | 14,925 | 7.725 | 22.6% | 1 | 499 |
December |
821 | 66,736 | 23,070 | 15,176 | 7.894 | 22.7% | 0 | 499 |
2012 |
||||||||
January |
818 | 67,554 | 23,384 | 15,358 | 8,026 | 22.7% | 0 | 499 |
February |
856 | 68,410 | 23,639 | 15,532 | 8,107 | 22.7% | 0 | 499 |
March |
818 | 69,227 | 23,983 | 15,780 | 8,203 | 22.7% | 1 | 500 |
April |
880 | 70,107 | 24,325 | 16,015 | 8,310 | 22.8% | 0 | 500 |
May |
875 | 70,882 | 24,681 | 16,259 | 8,422 | 22.9% | 2 | 502 |
June |
967 | 71,849 | 25,222 | 16,708 | 8,514 | 23.25% | 0 | 502 |
July |
835 | 72,684 | 25,612 | 17,025 | 8,587 | 23.4% | 0 | 502 |
August |
992 | 73,676 | 26,071 | 17,422 | 8,649 | 23..6% | 0 | 502 |
September |
878 | 74,554 | 26,513 | 17,767 | 8,746 | 23.8% | 0 | 502 |
October |
920 | 75,474 | 26,922 | 18,122 | 8,800 | 24% | 0 | 502 |
November |
990 | 76,464 | 27,175 | 18,328 | 8,847 | 26.3% | 1 | 503 |
December |
726 | 77,190 | 27,466 | 18,559 | 8,907 | 26.3% | 6 | 509 |
| 2013 | ||||||||
January |
686 | 77,877 | 27,682 | 18,711 | 8,971 | 26.4% | 5 | 514 |
February |
994 | 78,871 | 27,973 | 18,927 | 9,046 | 26.4% | 0 | 514 |
March |
1,049 | 79,920 | 28,452 | 19,306 | 9,146 | 26.6% | 1 | 515 |
* Since April 2003/Source: HHS Office for Civil Rights |
||||||||
OCR said that it received 691 complaints alleging a security rule violation since Oct. 1, 2009 when it took over security enforcement from CMS. That suggested it received 23 complaints in March compared to 18 complaints in February and 11 complaints in January.
OCR closed 499 complaints after investigation and corrective action. That indicated that OCR closed 11 complaints in March compared to three cases in February and 18 in January.
The agency also reported that it had 271 open complaints in February compared to 258 in February and 238 in January.
| TRANSACTIONS STANDARDS COMPLAINTS | |||
|---|---|---|---|
| Complaints Received by CMS Through Jan. 31, 2013 |
|||
| Complaint Type | Total | Open | Closed |
| Transaction and Code Sets | 778 | 14 | 764 |
| National Provide Identifier | 61 | 1 | 60 |
| Total | 839 | 15 | 824 |
| No Civil Penalties Imposed | |||
| Open –Outstanding issues remain. Entity may be under a corrective action plan or additional information from either the complainant, the filed against entity, or both is being sought. |
|||
| Source: CMS | |||
© 2013 Melamedia LLC