[ Friday, September 09, 2005 ]
Recent Stats from Alan Goldberg:
From an email Alan sent around to the ALHA HIT list this morning:
"From a reliable source yesterday regarding OCR
[Office of Civil Rights, the HIPAA Privacy compliance watchdog agency] & HIPAA AdSi
[Administrative Simplification, the portion of HIPAA dealing with privacy, security and transaction & code sets] enforcement:1. 14,900+ complaints thusfar received by OCR re: HIPAA privacy rule.
2. Closed about 68% of the cases.
3. Providers appear, of late, more likely to be the covered entities alleged to have violated the rule.
4. About 70% of the complaints either not within jurisdiction or not meritorious.
5. About 6,200 complaints received during current fiscal year.
6. Not many security complaints thusfar, perhaps about 30 or so.
7. Although still no CMPs
[civil money penalties, the fines that can be levied for HIPAA breaches] assessed, don't delude yourself or anyone else and wrongfully assume they won't be and do assume that they will be if alleged violators don't respond or address requirements as expected in a timely and effective manner.
8. Over 200 referrals to the DOJ
[Department of Justice] for criminal investigation of alleged privacy rule violations.
9. Review is ongoing of whether accounting for disclosures requires some change because, inter alia, the claimed administrative burden on covered entities, and the relative paucity of those individuals who seek such accountings.
The numbers are interesting, but I find items 8 and 9 most interesting. DOJ doesn't mess around, although I don't know how many of those 200 referrals will be dropped by DOJ because of the recently published memo that employees of covered entities shouldn't be subject to HIPAA actions. I suspect a large number of that 200 involve low-level clerical employees of hospitals and physicians who steal social security numbers for identity theft purposes.
And I would like to see the accounting rule get a working over. I understand the good intentions behind it, but if covered entities are restricted from disclosing except where it's appropriate, is there really a need for an accounting?
Jeff [10:26 AM]
Blogger: HIPAA Blog - Edit your Template