HHS Provides Details to Congress on HIPAA Enforcement Actions, Data Breach Reporting

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

Two recent federal reports to Congress show the Department of Health and Human Services fielding tens of thousands of complaints about Health Insurance Portability and Accountability Act violations—including breaches of HIPAA-protected data—since enforcement of the various HIPAA rules began in 2003.

The HHS Office for Civil Rights Sept. 1 released two reports detailing HHS's enforcement of the HIPAA Privacy and Security rules since 2003 and 2005, respectively, and information about data breaches reported to the agency since 2009.

The reports—sent to congressional committees in August—were mandated in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

OCR said in the report on HIPAA Privacy and Security rule compliance that HHS received more than 57,000 complaints of Privacy Rule violations between April 2003 (when compliance with the rule was required) and December 2010. Of those complaints, HHS investigated more than 19,000, finding no violation in 34 percent of the cases.

HHS received more than 800 complaints alleging Security Rule violations between April 2005 (when compliance with that rule was required) and December 2010. The department investigated nearly 290 of the complaints, finding no violation in nearly half the cases.

Data Breach Reporting

In a separate report on data breaches, OCR said HIPAA-covered entities reported more than 250 large data breaches, defined as those involving the protected health information of more than 500 individuals, in 2009 and 2010. In those cases, covered entities also must notify affected individuals.

For 2009 and 2010, covered entities notified a total of 7.8 million people that their protected health information was compromised in a data breach, OCR reported.

The HITECH Act for the first time mandated that breaches of HIPAA-protected health data be reported to HHS and, in some cases, to affected individuals.

The most common cause of data breaches in both years covered by the OCR report was theft of paper records or electronic media containing patient information. Other top causes of breaches included unauthorized access, use or disclosure of protected patient information, and human error.

In addition to the large breaches, covered entities reported more than 30,500 smaller breaches to HHS in 2009 and 2010.

OCR said most of those breaches affected just one individual and were caused by misdirected communications, such as mistakenly mailing or faxing clinical or claims data or test results to the wrong person.

The reports are available at http://www.hhs.gov/ocr/privacy/hitechrepts.html .


Request Health Care on Bloomberg Law