Every hour of every day an average of two HIPAA complaints come into the Department of Health and Human Services’ Office for Civil Rights (OCR). That estimate is gleaned from a recent report that shows the OCR has received 294,142 HIPAA complaints in the 19 years since the April 2003 compliance date of the Privacy Rule. Hopefully, your company is not among them.
Since 2003, the top 5 compliance issues alleged in complaints, in order of frequency, are: Impermissible uses and disclosures of protected health information (PHI); lack of safeguards of PHI; lack of patient access to their PHI; lack of administrative safeguards of electronic PHI; and use or disclosure of more than the minimum necessary PHI.
Who is listed on the complaints?
Do you think your organization is not at risk of privacy issues? The five most common types of covered entities that allegedly commit violations, in order of frequency, are:
1. General hospitals
2. Private practices and physicians
3. Pharmacies
4. Outpatient facilities
5. Community health centers
Real fines for rule breakers
Interestingly last month, dental practices accounted for three out of the four healthcare providers held accountable for HIPAA violations, according to a report on HHS.gov. In brief, here are their infractions and the penalties:
- A Pennsylvania dental practitioner failed to give a patient a copy of their medical record which eventually led to a settlement agreement in which the dentist agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.
- A North Carolina dental practice disclosed a patient’s PHI on a webpage in response to a negative online review. OCR imposed a $50,000 civil money penalty.
- An Alabama dental practice disclosed its patients’ PHI to a campaign manager and a marketing company hired to help with a state senate election campaign. The practice agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.
- A California psychiatric medical services provider agreed to take corrective actions and pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the right of access standard.
Let us help you stay in compliance and stay off the OCR’s complaint list.
Contact the HIPAA experts at PrivaPlan today. Email info@privaplan.com or call 877-218-7707.