The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently released two annual reports regarding compliance with the Health Insurance Portability and Accountability Act (HIPAA) and provisions enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The reports indicate that HIPAA-related complaints continue to grow annually; however, OCR intends to focus its compliance efforts on “high-impact” cases unless it obtains additional funding.  Additionally, the reports suggest that OCR is increasingly willing to impose significant penalties and seek large monetary settlements for HIPAA violations.  Below we discuss the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, and in a separate post we address the annual report dealing with breaches.

Complaint Resolution.  The report on covered entity compliance with the HIPAA Privacy, Security, and Breach Notification Rules indicates that the number of complaints alleging violations of HIPAA has continued to grow annually.  While OCR lacks jurisdiction to investigate the majority of these complaints, about two-thirds of investigated cases result in OCR requiring corrective action or providing technical assistance.

In 2011 and 2012, OCR received the largest number of complaints alleging HIPAA violations of any calendar years until that point (9,022 and 10,454, respectively).  OCR lacked jurisdiction over about 55% of the resolved complaints, investigated about 45% of resolved complaints, and provided technical assistance or required corrective action in over two-thirds of the complaints it investigated.  These numbers reflect the overall resolution of HIPAA complaints received between April 14, 2003 (the compliance date of the HIPAA Privacy Rule) and December 2012.  During that time, OCR received over 77,000 complaints and resolved 70,259 of these.  Of the resolved complaints, 60% (42,793) were not actionable because there was no HIPAA violation or because the violation occurred before the compliance date.  OCR investigated nearly 40% (27,466) of resolved complaints and required corrective action or provided technical assistance in 67% (18,559) of investigated cases.

Resolution Agreements and Imposition of Civil Monetary Penalty.  In 2011 and 2012, OCR signed Resolution Agreements with seven entities, requiring them to pay a settlement amount and complete a corrective action plan.  OCR pursues resolution agreements when it finds “noncompliance due to willful neglect, or where the nature and scope of the noncompliance warrants additional enforcement action . . . .”  The 2011 and 2012 agreements resolved “high-impact” cases that OCR believes will result in substantial industry impact.  Settlement amounts ranged from $50,000 to $1.7 million, and corrective action plans included features such as training employees, conducting risk analyses, and developing risk management plans.

In February 2011, the Department imposed the first civil monetary penalty (CMP) for violations of HIPAA.  Of the $4.3 million CMP imposed on Cignet Health of Prince George’s County, Maryland, $1.3 million was based on the finding that Cignet had denied 41 patients access to their medical records; $3 million was based on the finding that Cignet failed to cooperate with the Department’s investigations “on a continuing daily basis” for roughly a year “due to Cignet’s willful neglect to comply with the HIPAA rules.”

Audit Activity.  The Report discussed the HITECH Act’s requirement that the Department provide for periodic audits to ensure compliance with the HIPAA Privacy and Security Rules.  OCR has completed an audit pilot project in which audit protocols were developed and tested and 115 audits of covered entities were conducted.  Over 80% of audited entities had deficiencies related to the Privacy, Security, and Breach Notification Rules.

Future Enforcement Efforts.  Based on the increased volume of HIPAA complaints, OCR expects to “work smarter” by resolving complaints through early intervention and technical assistance, rather than through investigation.  OCR expects to focus resources on cases presenting serious allegations, pervasive compliance issues, and reviews of high-impact cases.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into…

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.

Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.

Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.

Anna’s clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.