Bookmark and Share

HIPAA & Breach Enforcement Statistics for August 2014

Produced by Health Information Privacy/Security Alert
Published by Melamedia, LLC


Bookmark and Share  

New Webinar on Demand
Defending Your Organization's Name In the World of HIPAA
July 23, 2014

Our Webinars
 on CD

Webinars Qualify for IAPP CEs

New On-Demand Webinar
Learn What Class Action Attorneys Look for in HITECH Breaches
May 1, 2014


Confronting HIPAA & HITECH Vulnerabilities in Health Data Registries
Feb. 27, 2014
Order On-Demand Access


HIPAA/HITECH Compliance & FDA's Mobile Medical Apps Guidance
Oct. 30, 2013
Listen to a Sample


Special Offer
Don't Act Rashly in Punishing Security Violations!
Special Offer
3-Part Series: Domino Effects of HIPAA & HITECH on the Workforce


2-Part Webinar Package
Cutting Through the Hype On HIPAA & HITECH Enforcement
Save More than $100 When You Order Both CDs



The Effects of the Supreme Court Rulings on Same-Sex Marriage on Patient Rights, and HIPAA and HITECH Compliance Aug. 13, 2013

Listen to a Sample


Understanding & Deploying OCR's New Data De-Identification Guidance
Jan. 17, 2013


Breaches of Paper Records Continue to Plague Healthcare

Over View of Top HITECH Breaches
 As of July 17, 2014
# of Breaches Reason Location # of Patients
195 Theft Laptop 4,170,528
82 Theft Desktop 6,537,622
79 Theft Paper 331,367
41 Unauthorized Access/ Disclosure Paper 435,803
40 Theft Other 1,756,791
Source: Health Information Privacy/Security Alert  Analysis of  HHS Office for Civil Rights Data

Health data breaches involving more than 500 patients rose to 1,065 from 1,026 as OCR posted 39 new incidents affecting more than 499,753 patients, according to the latest analysis by Health Information Privacy/Security Alert of OCR data from June 18 through July 17.

More than 32,150,360 patients have been affected overall since OCR started publishing data.

Business Associates (BA) may have been involved in as many as 305 incidents, which suggests BAs were involved in eight of the 39 newly listed incidents.

However, that number is uncertain because the OCR statistics do not indicate whether a Business Associate was involved in two dozen instances.

Theft was far and away the leading reason for BA breaches, accounting for more than 102 incidents.
Theft was the leading cause of all reported breaches, accounting for 544 by itself and involved in more than 51 other instances.

Paper records were involved in more than 227 incidents posted on OCR's Wall of Shame.

A fuller analysis of the health data breaches is available in Health Information Privacy/Security Alert.

Take advantage of a special offer for a one-year e-subscription to Health Information Privacy/Security Alert click here


Special Subscription Offer
from
Health Information Privacy/Security Alert

  Save 50% on an Annual Subscription
& Get Any One of Our Webinars on CD for Free
 Get Additional Webinars for only $69 each.

or Subscribe for 6 Months for only $99
 Download the Order Form
 
 visit Melamedia's Education Page
 for a Complete List of Eligible Webinars


OCR Has Not Updated Its HIPAA Complaint Statistics for June or July

HIPAA Complaints Exceed 2,000 per Month

OCR reported it received 97,702 HIPAA patient complaints, since the agency began enforcing the privacy rule in April 2003.

The number indicated that it received 2,114 in May. It received 1,143 complaints in April and 1,470 complaints in March.

Of the 32,795 complaints that fell within OCR's jurisdiction since April 2003, 22,613 required corrective action by covered entities (CEs).

An analysis by HIP/SA found that the agency determined that 178 CEs were required to take some action in May compared to 144 in April and 131 in March.

Investigations of the remaining 10,182 complaints within OCR's jurisdiction found no violation. That meant that 68 complaints did not uncover a HIPAA violation in May.

OCR said it resolved 95% of all the complaints that it had received since April 2003. That resolution level also included a very large number of complaints (58,973) that did not fall within OCR's jurisdiction. Almost two-thirds of patient complaints lodged with OCR fall outside the agency's jurisdiction.

Overall, about 24.6% of all complaints resulted in some corrective action by CEs through May 2014. That was slightly lower than the 24.9% in April and 25.1% in March.

OCR indicated that it had 5,304 complaints in some phase of investigation in May, compared to 5,177 complaints in in April and 5,448 in March.

The agency has referred 530 complaints to the Department of Justice for possible criminal prosecution. That suggested that it made four referrals in May.

The privacy areas investigated most often were:

  • Impermissible uses and disclosures of protected health information (PHI);
  • Lack of safeguards of PHI;
  • Lack of patient access to their PHI;
  • Uses or disclosures of more than the Minimum Necessary PHI; and
  • Lack of administrative safeguards of electronic PHI.

The most common types of covered entities that had to take corrective action were:

  • Private Practices;
  • General Hospitals;
  • Outpatient Facilities;
  • Health Plans; and
  • Pharmacies.

Subscribe
to
HIPAA & Breach Enforcement Stats


White Paper
Did HITECH Increase HIPAA Patient Complaints?
HIPAA/HITECH Act Enforcement 2003-2013:
The Role of Patient Complaints in Medical Privacy and Data Security




The Ripple Effects of HHS Proposed Requirements
for Accounting of Disclosures

July
2011

 


The Nuts & Bolts of Insurance & Covering
The Costs of Health Data Breaches

Aug. 2010




Visit our
Education Page
for a complete list of webinars



Understanding & Coping with the New HITECH Regulations - 2 Part Webinar Series
February 2013


A Strategic Approach to Protecting Yourself from HIPAA Audits
Oct. 2011

 



SPECIAL OFFER
3-Part Series: Domino Effects
of HIPAA & HITECH  on the Healthcare Workforce

July, Aug. & Sept. 2012



PRIVACY
HIPAA Complaints Lodged with OCR
Through May 30,  2014*

Month

Monthly

Running Total*

Cases  Under OCR Jurisdiction

Cases Requiring CE
Action

Cases Requiring No CE Action

%  Required CE Action of Total Lodged Complaints

Cases Referrals to DoJ

Running Total for DoJ*

2012

April

880 70,107 24,325 16,015 8,310 22.8% 0 500

May

875 70,882 24,681 16,259 8,422 22.9% 2 502

June

967 71,849 25,222 16,708 8,514 23.25% 0 502

July

835 72,684 25,612 17,025 8,587 23.4% 0 502

August

992 73,676 26,071 17,422 8,649 23..6% 0 502

September

878 74,554 26,513 17,767 8,746 23.8% 0 502

October

920 75,474 26,922 18,122 8,800 24% 0 502

November

990 76,464 27,175 18,328 8,847 26.3% 1 503

December

726 77,190 27,466 18,559 8,907 26.3% 6 509
2013

January

686 77,877 27,682 18,711 8,971 26.4% 5 514

February

994 78,871 27,973 18,927 9,046 26.4% 0 514

March

1,049 79,920 28,452 19,306 9,146 26.6% 1 515

April

916 80,836 28,981 19,726 9,255 26.7% 1 516

May

954 81,790 29,428 20,056 9,372 26.7% 0 516

June

774 82,564 29,852 20,359 9,466 26.9% 0 516

July

1,117 83,681 30,222 20,674 9,548 26.9% 2 518

August

1,558 85,239 30,886 21,271 9,615 26.7% 0 518

September

1,482 86,721 31,548 21,763 9,785 26.4% 2 520

October

876 87,597 31,639 21,832 9,807 26.4% 0

520

November

1,448 89,587 31,811 21,492 9,869 26.2% 1

521

December

414 90,001 31,925 22,026 9,899 26.0% 1

521

2014

January

720 91,721 32,096 22,141 9,948 25.9% 0 521

February

1,254 92,975 32,227 22,222 10,005 25.4% 1 522

March

1,470 94,445 32,410 22,353 10,057 25.1% 4 526

April

1,143 95,588 32,617 22,497 10,114 24.9% 4 526

May

2,114 97,702 32,795 22,613 10,182 24.6% 4 530

*  Since April 2003/Source: HHS Office for Civil Rights
· Please credit  Health Information Privacy/Security Alert if you cite any of these statistics.


Comment on Our White Paper
HIPAA/HITECH Act Enforcement 2003-2013:
The Role of Patient Complaints in Medical Privacy and Data Security


OCR Security Stats

OCR said it received 880 complaints alleging a security rule violation since it took over enforcement from CMS in October 2009. The agency statistics suggested that it received 21 In May. It received 21 complaints in April and 17 complaints in March.

The agency said it closed 644 complaints after investigation and corrective action in April. That indicated that the agency closed 26 cases in May. It closed 14 cases in April and six in March.

The security enforcement numbers do not necessarily indicate that patients are not complaining about security issues. OCR explained that it receives fewer security complaints because employees are the most are the most likely to know about these problems.


.


HIPAA Transactions Standards
CMS Did Not Update Stats

Complaints Received by CMS
Through Jan. 31, 2014
Complaint Type Total Open Closed
Transaction and Code Sets 808 21 787
National Provide Identifier 62 0 62
Total 870 21 849
No Civil Penalties Imposed

Open –Outstanding issues remain. Entity may be under a corrective action plan or additional information from either the complainant, the filed against entity, or both is being sought.
Closed–No further action required. All issues have been sufficiently resolved.

  Source: CMS

Subscribe to HIPAA & Breach Enforcement Stats

© 2014 Melamedia LLC