Enforcement of HIPAA is changing
There are many indicators that make us believe that we will see a distinct uptick in OCR enforcement activity. The last two OIG reports say OCR isn’t doing enough, the news points out issues with enforcement, and even Congress is getting in the mix. In this episode, we discuss why this makes us think you don’t want to wait around to see IF OCR starts doing anything differently.
Enforcement Major Point in 2015 OIG Report
The latest OIG report does say they are investigating large breaches and they note: in almost all of the closed large-breach cases, it determined that covered entities were noncompliant with at least one HIPAA standard [4:50]
The 2015 report says that OCR should:
- Enter small-breach information into its case-tracking system or a searchable database linked to it;
- Maintain complete documentation of corrective actions;
- Develop an efficient method in its case-tracking system to search for and track covered entities that reported prior breaches;
- Develop a policy requiring OCR staff to check whether covered entities reported prior breaches; and
- Continue to expand outreach and education efforts to covered entities. OCR concurred with all five recommendations and described its activities to address them.
Special shout out to HIPAA Journal. We really appreciate what you guys do over there!
Enforcement Miscues Making in the News[9:52] Recent NBC report showing the fax number issues that APS Marketing Group in Brooklyn dealt with this year. The company started receiving faxes containing the medical information of patients from a medical clinic in April, 2015 intended for Quest Diagnostics. Eventually the faxes they were receiving were coming from multiple facilities directed to Quest.
This had been going on for months with hundreds of patient records containing Quest lab request information ending up in the company’s faxes received.
The company contacted Quest who said they would try to fix it. But, faxes kept coming.
Next, they reported to HHS and they said it would get it resolved. But, faxes kept coming.
Next, they called OCR and was told it was closed.
Finally, they called in a reporter and a local New York news station started reporting on the issue. Now, that did it – the problem got solved.
Enforcement Questions from Senators[16:40] Senators asking HHS / OCR / CMS for answers to all the issues with breaches.
Medicare/Medicaid programs budget approximately $98 billion each year to cover the cost of medical identity theft corresponds to 10% of the programs’ annual budgets
The letter asks:
- What CMS and HHS is doing to monitor medical identity fraud
- What is CMS and/or OCR actually doing, if anything, to track cases of ID theft and fraud
OCR uses the data collected from covered-entities to monitor potential breach victims and find out if their data have in fact been used by criminals
- They also want to know whether any education materials or help are offered to breach victims by the CMS and OCR
A response was requested by November 24. As of the release of this podcast we can’t find information relating to any response that has been provided from HHS on this request.