Share this article on:
Jocelyn Samuels, Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) explained OCR’s role in enforcing HIPAA Rules in a recent blog post and confirmed where enforcement activities will be focused over the coming 12 months. Samuels said OCR is “laser-focused on breaches occurring at health care entities, and any issues that lead to them” and that will not change.
In the post, Samuels spoke of the increase in enforcement activities and pointed out OCR has entered into a record number of financial settlements with organizations that have been discovered to have violated HIPAA Rules.
There are just over two months left of 2016, yet OCR has already entered into 11 financial settlement agreements with HIPAA-covered entities this year, compared to 5 settlements in 2013, six in 2014, and six in 2015. In the most part, investigations of covered entities were triggered after major data breaches were experienced rather than the investigation of complaints filed by individuals.
Many complaints are submitted to OCR each year about potential HIPAA violations. While all are taken seriously, OCR concentrates on investigating HIPAA violations that have led to the exposure of millions of patients and health plan members’ records rather than individual privacy violations.
According to Samuels, OCR is committed to enforcing HIPAA Rules and “will continue to focus its enforcement efforts and its resources in this area on cases that identify industry-wide noncompliance, where corrective action under HIPAA may be the only remedy.”
Investigations of covered entities require considerable resources and man-hours, but funds are limited. While it is difficult not to investigate all potential HIPAA violations, Samuels pointed out that It is essential that funds are put to the best possible use “to maximize the benefit for the American public.”
Consequently, that means that many complaints received by OCR cannot be pursued. Samuels explained that OCR receives many complaints about HIPAA covered entities each year, but a high percentage of those complaints do not actually allege violations of HIPAA Rules. Even when complainants allege HIPAA violations it is not possible to pursue cases against many of the organizations concerned due to a lack of evidence. Cases are also dropped when violations are found to be difficult to prove. With funds limited, OCR must “get the most bang for the taxpayers’ buck.”
Samuels confirmed that OCR will take action against covered entities when organization-wide non-compliance is discovered and “will continue our vigorous efforts to provide guidance and technical assistance,” to prevent HIPAA violations and data breaches.
The long awaited second phase of HIPAA-compliance audits has now commenced and the audits will be invaluable in helping OCR produce future guidance on HIPAA. The audits will identify aspects of HIPAA Rules that covered entities are struggling to address and further guidance will be issued accordingly.
Samuels also said OCR is also committed to helping covered entities introduce appropriate controls to safeguard PHI from the barrage of cyberattacks, in accordance with the Cybersecurity Information Sharing Act of 2015.