Healthcare // Security & Privacy
News
7/8/2014
09:05 AM
Connect Directly
RSS
E-Mail
100%
0%

HIPAA Complaints Vex Healthcare Organizations

Since 2013, complaints to the Department of Health and Human Services have risen regarding Health Insurance Portability and Accountability Act violations.

EHR Jobs Boom: 8 Hot Health IT Roles
EHR Jobs Boom: 8 Hot Health IT Roles
(Click image for larger view and slideshow.)

The number of Health Insurance Portability and Accountability Act (HIPAA) violation complaints received by the Department of Health and Human Services spiraled upward in 2013. Complaints are on a similar high-speed trajectory for 2014, according to analysis by TrueVault.

"The number of complaints through May 2014 is up 45.7% over the number received through May in 2013, so we believe that we will continue to see complaints surge through 2014," Morgan Brown, vice president of growth at TrueVault, said in an interview. As of May 2014, there had been 6,701 complaints, versus 4,599 a year earlier.

Of those complaints, corrective action was required in 26% of cases HHS reviewed. Only 14% of complaints resulted in no action -- a statistic that "points to the severity of the problem of keeping patient data safe and secure," said Brown.

[Paraplegics can walk again, with help. Read First Robotic Exoskeletons For Paraplegia Win FDA Approval.]

Increased consumer awareness might be one reason, he said. Regulatory changes are another.

"At the same time, we'll see enforcement activity rise with the enactment of the new Omnibus Final Rule regulations that went into effect last year," he said. "The new rule introduced new, higher fines and requires that all business associates meet HIPAA compliance standards. Previously, only covered entities were subject to the law."

(Source: TrueVault)
(Source: TrueVault)

Jerome Meites, an HHS chief regional civil rights counsel, warned late last year that the government would pursue organizations more aggressively for HIPAA violations. Audits, which began in 2013, will continue through 2015, he said.

In addition, states enacted their own data security and enforcement policies. Of the approximately 90,000 complaints received through 2013, only 32,000 fell under the jurisdiction of the HHS Office of Civil Rights. Of these, 22,026 required corrective action, while investigation of 9,899 found no violation.

Of the 521 complaints the OCR referred to the Department of Justice for potential criminal justice, the DoJ has agreed to pursue only 54 of them.

Executives agreed that the Omnibus Rule will generate larger penalties and more criminal enforcement. "HIPAA is all about risk management," Art Gross, president and CEO of HIPAA SecureNow, told us. "I've seen the shift in awareness since last September with the Omnibus Rule."

Patients or others affected by a HIPAA breach have another recourse, too.

"There is no private cause of action under HIPAA, but that does not prevent aggrieved parties from suing companies who have caused a breach under common law for privacy violations and negligence, among other things," TrueVault's Brown said. "Also, individuals may lodge complaints with the government, which can investigate and bring enforcement actions."

Experts said healthcare organizations and their business associates should use the threat of more audits, penalties, and criminal enforcement as another incentive to invest more resources toward protecting patient data.

"With the growing number of mobile devices, tablets, and laptops used in patient management, healthcare organizations need to ensure that they have the proper administrative, physical, and technical safeguards in place as mandated by the law to ensure compliance and to reduce breaches. This includes both proper training and regular compliance audits with the staff and the proper technical safeguards to ensure that devices that are lost or stolen have data that is password protected and encrypted, and that devices can be remotely wiped as needed," Brown said. "In addition, healthcare organizations need to ensure that their technology partners are also compliant and are using best practices when it comes to device and data security."

Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and we offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators. Read our InformationWeek Elite 100 issue today.

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.