Why is the OCR Not Issuing More HIPAA Fines?
The Department of Health and Human Services’ Office for Civil Rights is tasked with policing HIPAA, and there have been no shortage of HIPAA violations of late, so why is the OCR not issuing more HIPAA fines?
Huge Data Breaches – Numerous HIPAA Violations – 22 Financial Penalties
Since October 2009, 1,140 data breaches affecting more than 500 individuals were reported to the OCR, while there were more than 120,000 breaches involving fewer than 500 individuals. Out of those incidents – including a large number that involved or directly resulted from HIPAA violations – only 22 have warranted OCR HIPAA penalties according to research conducted by ProPublica. The OCR has been reserving financial penalties for organizations that “have involved systemic and/or long-standing”, and is cautious about exercising its rights and fining HIPAA violators.
Interestingly, the California Department of Public Health is more active when it comes to holding healthcare organizations accountable for their lack of attention to HIPAA legislation. It too has issued 22 fines to HIPAA violators, although that was just in the past 12 months, while January and February have already seen another 8 fines issued for breaches of patient privacy. The OCR has issued an average of just over 3 and a half settlements a year (3.67) since 2009.
HIPAA Compliance Crackdown Yet to Come
There is a supposed crackdown on HIPAA non-compliance and fines are certainly being issued; however in 2014 the OCR only entered into six resolution agreements with violators of HIPAA regulations. Assessing compliance is another area where the OCR has been criticized for its lack of action. The second round of audits were delayed last year, and do not look like they will be starting any time soon. It also took over two and a half years between the end of the pilot round of audits and the scheduled start of the second round. The OCR may be looking to start a permanent audit program, but that appears to be a long way off.
When the second round of audits start, 800 covered entities and 400 business associates will be audited. The audits will have a narrow focus and will be only looking at Privacy Rule, Breach Notification Rule and Security Rule compliance, and will not include general audits of all three. Many of the audits will be “desk based”, involving only a document check, albeit a thorough one. These audits will therefore be no guarantee of full HIPAA compliance, even if they are passed without observations.
The Power to Issue Financial Penalties
The Enforcement Rule allowed fines to be imposed by the OCR for non-compliance, with the Omnibus Rule bringing the fines in line with the HITECH Act. The OCR is able to issue penalties of up to $1,500,000 per violation category, per year that the violation was allowed to persist. Last year the OCR settled with New York-Presbyterian Hospital and Columbia University for almost $4.9 million. However these fines are surprisingly rare.
Many feel that the OCR is not doing as much as it should in this regard, and the agency has been criticized in the past by the HHS’ inspector general for its lack of action against offenders. The OCR does take action against violators of HIPAA Rules, but in many cases other penalties are applied. Action plans are issued with strict timescales for compliance for instance, to ensure that breaches do not happen again.
Why is the OCR not Issuing More Fines?
The Office for Civil Rights is placed in a difficult position. It has been given an enormous workload, very few staff and an extremely limited budget.
As pointed out by ProPublica, for a budget of only $39 million per annum, the OCR must handle 4,000 discrimination complaints, review 2,500 Medicare provider applications to see if the applicants are complying with federal civil rights requirements, and deal with a rapidly increasing number of complaints about HIPAA violations, which amount to some 15,000 each year. It is also required to run a program of compliance audits on covered entities, and often must enter into lengthy discussions regarding settlements. All of this work has to be conducted by just 200 staff. And its budget has been frozen.
Funds can be increased by the issuing of more fines, but it can take many years to get those funds. The settlement with Parkview Health System for the improper dumping of 71 cardboard boxes of PHI – a clear HIPAA violation – took 5 years to resolve. Staff cannot be asked to wait that long to get their wages.
What is needed is an increase in the OCR’s operational budget, as this would allow it to employ more staff, conduct more investigations and police HIPAA more thoroughly. With the increased revenue it manages to generate from enforcement actions, and the additional resources it will have to tackle non-compliance, healthcare organizations would then be forced to bring their policies and procedures in line with regulations.
The situation is summed up nicely by computer security expert and blogger, Bruce Schneier, “If the cost of polluting is zero, companies will pollute. How would a rational company not do that?” he said. “If your CEO said we’re going to spend four times as much money not to pollute, he would be fired. What you need is to make security rational.”
However, to do that the OCR needs to be allocated more funding, and while this has been recommended in President Obama’s State of the Nations Speech earlier this year that is no guarantee that the money will be forthcoming.