Proliferating HIPAA complaints and medical record breaches
In addition, a growing number of these complaints are going unresolved.
The protected health information (PHI) security and privacy goals of HIPAA in spirit and intent are good, Herold, leader of the Realtime IT Compliance Community, told SCMagazineUS.com on Friday. The regulatory oversight of the U.S. Department of Health and Human Services (HSS), however, has been underwhelming, she said.
The statistics provided about Privacy Rule complaints clearly show the numbers increasing on an annual basis, she added. This is a result not only of the growing numbers of privacy breaches, but also of the public's growing awareness of the risks involved with PHI breaches, and the fact that covered entities clearly have a law requiring them to protect PHI, but it is a law that is not being enforced.
Over the past five years, there were over 32,000 reports of complaint about HIPAA to the Office of Civil Rights (OCR), Herold said. Approximately 25,500 of these have been resolved.
“It is also important to point out that the same four issues have been the top issues where complaints were received every single year,” said Herold.
Those issues are impermissible uses and disclosures, safeguards, access, and minimum necessary.
“These categories of vulnerabilities are significant contributors to privacy breaches,” she said.
The health care sector continues to be an industry that suffers from large numbers of data breaches, Doug Pollack, chief marketing officer of ID Experts told SCMagazineUS.com.
“This can be partially attributed to the essential need for access to confidential patient information on a real time basis by medical professionals,” he said. “While they may not correlate directly, it isn't surprising that there is an increase in both the number of data breaches and the number of HIPPA violation complaints. While there is no simple answer to substantially reducing the risks that lead to data breaches in the medical community, a large number of breaches in healthcare are caused by loss or theft of physical files or laptops, and so more rigorous physical security policies and data encryption standards for laptops may be a very good place to start.”