[ Wednesday, February 07, 2007 ]
Compliance and Enforcement Statistics:
Just in from Alan Goldberg, moderator of the American Health Lawyers Association's Health Information Technology listserv (the "HIT list"), from OCR's compliance activity report of January 31, 2007:
As of the date of this summary, OCR has received and initiated reviews of
over 25,031 complaints, and has closed 76% of those cases. Case closures include
those where OCR lacks jurisdiction under HIPAA – such as a complaint alleging a
violation prior to the compliance date or alleging a violation by an entity not
covered by the Privacy Rule; where the activity alleged does not violate the
Rule – such as when the covered entity has declined to disclose protected health
information in circumstances where the Rule would permit such a disclosure; and
where the matter has been satisfactorily resolved through voluntary compliance –
for example, where an individual is provided access to their medical record
based on a complaint that such access had been previously denied.
The allegations raised most frequently in the complaints are: (1) the
impermissible use or disclosure of an individual’s identifiable health
information; (2) the lack of adequate safeguards to protect identifiable health
information; (3) refusal or failure to provide the individual with access to or
a copy of his or her records; (4) the disclosure of more information than is
minimally necessary to satisfy a particular request for information; and (5)
failure to have the individual’s valid authorization for a disclosure that
Complaints are most often filed against the following types of covered
entities: (1) private health care practices; (2) general hospitals; (3)
outpatient facilities; (4) group health plans and health insurance issuers; and
OCR refers to the Department of Justice (DOJ) appropriate cases
involving the knowing disclosure or obtaining of protected health information in
violation of the Rule for criminal investigation. As of the date of this
summary, OCR made over 369 such referrals to DOJ.
Thought you'd like to know that. Thanks, Alan!
UPDATE: Dennis Melamed posts on the HIT list that CMS (which enforces the security and transactions/code sets portions of HIPAA) has imposed corrective action plans on two health plans that violated the transactions and code sets provisions.
Jeff [11:29 AM]
Blogger: HIPAA Blog - Edit your Template