Since 2013, complaints to the Department of Health and Human Services have risen regarding Health Insurance Portability and Accountability Act violations.
EHR Jobs Boom: 8 Hot Health IT Roles
(Click image for larger view and slideshow.)
The number of Health Insurance Portability and Accountability Act (HIPAA) violation complaints received by the Department of Health and Human Services spiraled upward in 2013. Complaints are on a similar high-speed trajectory for 2014, according to analysis by TrueVault.
"The number of complaints through May 2014 is up 45.7% over the number received through May in 2013, so we believe that we will continue to see complaints surge through 2014," Morgan Brown, vice president of growth at TrueVault, said in an interview. As of May 2014, there had been 6,701 complaints, versus 4,599 a year earlier.
Of those complaints, corrective action was required in 26% of cases HHS reviewed. Only 14% of complaints resulted in no action -- a statistic that "points to the severity of the problem of keeping patient data safe and secure," said Brown.
Increased consumer awareness might be one reason, he said. Regulatory changes are another.
"At the same time, we'll see enforcement activity rise with the enactment of the new Omnibus Final Rule regulations that went into effect last year," he said. "The new rule introduced new, higher fines and requires that all business associates meet HIPAA compliance standards. Previously, only covered entities were subject to the law."
Jerome Meites, an HHS chief regional civil rights counsel, warned late last year that the government would pursue organizations more aggressively for HIPAA violations. Audits, which began in 2013, will continue through 2015, he said.
In addition, states enacted their own data security and enforcement policies. Of the approximately 90,000 complaints received through 2013, only 32,000 fell under the jurisdiction of the HHS Office of Civil Rights. Of these, 22,026 required corrective action, while investigation of 9,899 found no violation.
Of the 521 complaints the OCR referred to the Department of Justice for potential criminal justice, the DoJ has agreed to pursue only 54 of them.
Executives agreed that the Omnibus Rule will generate larger penalties and more criminal enforcement. "HIPAA is all about risk management," Art Gross, president and CEO of HIPAA SecureNow, told us. "I've seen the shift in awareness since last September with the Omnibus Rule."
Patients or others affected by a HIPAA breach have another recourse, too.
"There is no private cause of action under HIPAA, but that does not prevent aggrieved parties from suing companies who have caused a breach under common law for privacy violations and negligence, among other things," TrueVault's Brown said. "Also, individuals may lodge complaints with the government, which can investigate and bring enforcement actions."
Experts said healthcare organizations and their business associates should use the threat of more audits, penalties, and criminal enforcement as another incentive to invest more resources toward protecting patient data.
"With the growing number of mobile devices, tablets, and laptops used in patient management, healthcare organizations need to ensure that they have the proper administrative, physical, and technical safeguards in place as mandated by the law to ensure compliance and to reduce breaches. This includes both proper training and regular compliance audits with the staff and the proper technical safeguards to ensure that devices that are lost or stolen have data that is password protected and encrypted, and that devices can be remotely wiped as needed," Brown said. "In addition, healthcare organizations need to ensure that their technology partners are also compliant and are using best practices when it comes to device and data security."
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and we offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators. Read our InformationWeek Elite 100 issue today.
Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio
Healthcare Data Breaches Cost More Than You ThinkHealthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.