Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Stolen Laptop: Laptop and Printouts with PII about 600 Students in Colorado | Main | Data Ransom Story: Crooks Targeting Small Businesses and Individuals »

HIPAA: Report Shows Most Complaints Not Investigated

Government Health IT published an interesting report today, "Most privacy complaints are not investigated."

From the article:

"The Department of Health and Human Services investigated less than 25 percent of 22,964 privacy complaints submitted to HHS’ Office for Civil Rights (OCR) from April 2003 through September 2006"

This was according to the newly released “3rd Annual Review of Medical Privacy and Security Enforcement” from Melamedia LLC. The full report costs $260.

Fine...I'll continue reading the free published report about the full study report...

"Melamedia found that of the 5,400 complaints investigated – all of which were filed against health care organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) – OCR officials took informal action in 3,700 cases. Officials absolved the accused health care organizations in 1,700 others."

The authors raised their own questions about why so few complaints have been investigated.

I'm also disappointed in the enforcement efforts, but not surprised. Over the past couple of years I've been doing business partner and vendor security program reviews for some of my clients, and some of those partners have been state agencies. An interesting, and for reasons amazingly unknown by the folks I've spoken to in the OCR and CMS enforcement offices, exemption to having business associates agreements under HIPAA are those state agencies who fall under the Medicare Modernization Act (MMA). (A long story that would be good to discuss in another blog posting, or perhaps white paper.) Related to this, I have spoken at length with several of the folks in each of the CMS and OCR enforcement offices about when they pursue compliance investigations. Both offices they told me that basically, unless an actual incident had occurred, they would probably not investigate a complaint.

Huh?

Yes, a federal law implemented to help protect patient information, but which is apparently being begrudgingly enforced by those given that responsibility.

With the new False Claims Act Guidelines coming into play with HIPAA enforcement, which I blogged about recently , I wonder if enforcement activities will increase?

The most significant way to make HIPAA effective is by consistent and active enforcement. Too many covered entities are now shrugging off their compliance requirements knowing that the likelihood of receiving resulting fines and penalties is nil based upon the number of fines and penalties applied by the OCR and CMS on behalf of the Department of Health and Human Services (HHS)...nil.

Tags:                    
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on December 18, 2006 9:44 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/262

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.