HIPAA privacy and security complaint statistics have been made available for June. You may not realize it, but the federal HIPAA Privacy program is administered by Health & Human Services (HHS) Office of Civil Rights (OCR).
Let’s see how things are going.
June 2008 — OCR received 849 HIPAA privacy complaints. Ouch.
OCR pegged 256 cases that required some kind of action by the HIPAA covered entity (that would be a provider, a hospital, an insurance plan, folks like that who work with your protected health information). If all 256 of those cases were filed in June, it means that a quick look-see at the complaints, just for June, reveals at least 30% of them will require that the provider or hospital or health plan DO SOMETHING to protect your health information.
OCR made one referral to the Department of Justice for potential prosecution. Not bad, especially considering that OCR has referred 436 cases to DOJ since April 2003. We can interpret this one of two ways: either the bad guys are getting better at getting away with stealing your protected health information, or providers, hospitals, and health plans are getting better at protecting it. (I wouldn’t put any money on the second possibility.)
The most common HIPAA privacy complaints were:
— Unauthorized disclosures of protected health information
— Safeguard issues — the doctors, or practices, or health plans, etc., were not taking as good a care of your protected health information as they probably should
— Denial of patient requests for copies of their medical records
— Disclosing too much protected health information
— Utilizing invalid authorizations for disclosing protected health information (I’ll explain more about valid authorizations in a future post)
In order, here are the offenders:
— Private practices
— Outpatient (day surgery) facilities
— Health Plans (group health plans and health insurance companies)
— Pharmacies (a small surprise, right?)
The HIPAA Security Rules are administered by CMS — the folks who bring you Medicare. They received 10 complaints in May — a very big jump for them.
Got a question about your or your family’s protected health information, your medical records, or your HIPAA Privacy & Security rights? Leave a comment, or send me an email at firstname.lastname@example.org. I’m here to help. BTW, all posts on my blog, written by me, are (c) 2008 Lane R Hatcher. If you’d like to reprint, contact me! And yes, I’m working on a web site.