(As of May 31, 2009)
The HIPAA Privacy Rule is a set of federal standards to protect the privacy of patients' medical records and other health information maintained by covered entities: health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare and Medicaid; most doctors, hospitals and many other health care providers; and health care clearinghouses. These standards provide patients with access to their medical records and with significant control over how their personal health information is used and disclosed. Compliance with the standards was required as of April 14, 2003 for most entities covered by HIPAA. On that date, OCR began accepting complaints involving the privacy of personal health information in the health care system.
Enforcement Results as of the Date of This Summary
- completed cases (25,492), HHS determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. These include cases in which:
- OCR lacks jurisdiction under HIPAA – such as a complaint alleging a violation prior to the compliance date or alleging a violation by an entity not covered by the Privacy Rule;
- the complaint is untimely, or withdrawn or not pursued by the filer;
- the activity described does not violate the Rule – such as when the covered entity has disclosed protected health information in circumstances in which the Rule permits such a disclosure.
- In summary, since the compliance date in April 2003, HHS has received over 44,236 HIPAA Privacy complaints. We have resolved over eighty percent of complaints received (over 38,329): through investigation and enforcement (over 8,571); through investigation and finding no violation (4,266); and through closure of cases that were not eligible for enforcement (25,492).
From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Uses or disclosures of more than the Minimum Necessary protected health information; and
- Lack of or invalid authorizations for uses and disclosures of protected health information.
The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:
- Private Practices;
- General Hospitals;
- Outpatient Facilities;
- Health Plans (group health plans and health insurance issuers); and,
OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rule, and to the Centers for Medicare and Medicaid Services (CMS) for investigation appropriate cases that describe a potential violation of the HIPAA Security Rule. As of the date of this summary, OCR made over 457 such referrals to DOJ, and over 309 such referrals to CMS. In the referred cases that describe potential violations of both the HIPAA Privacy and Security Rules, OCR and CMS coordinate the investigations.
Outreach and Education
HHS also obtains privacy compliance through outreach and education efforts. OCR has reached hundreds of thousands of covered entities and consumers through educational conferences, a toll-free call line, and an interactive website. On January 20, 2009, OCR launched a redesigned Privacy website that contains new information both for consumers and for covered entities. Since then, OCR has had over 600 thousand visits to its Privacy Web pages and over 150 thousand visits to the frequently asked questions on health information privacy and related topics. Additionally, HHS continues to maintain its popular Privacy listserv by distributing announcements and educational information to over 20,000 subscribers to the Privacy listserv.
Watch for monthly updates reporting the number of cases received, investigated or resolved.