According to recent figures from the U.S. Department of Health and Human Services (DHS), HIPAA enforcement seems to be on the rise. The DHA reports dramatically increased enforcement efforts by the government in administering the federal privacy law that protects the confidentiality and security of healthcare information.
The U.S. Office of Civil Rights (OCR) reports having received over 115,929 HIPAA complaints and initiating over 1,216 compliance reviews since the final HIPAA Privacy Rule in was put into effect in 2013. OCR also reports that of those many cases, 23,580 have required businesses to make changes to their privacy practices in order to avoid facing corrective action. All of this data points to the clear fact that the number of health claims filed under HIPAA has skyrocketed in recent years.
This unfortunately means that costly settlements regarding HIPAA compliance are becoming the norm in the medical industry, despite the wide variety of resources that are available for helping businesses and healthcare facilities remain HIPAA compliant. An example of one such settlement centers around Cornell Prescription Pharmacy, a small pharmacy in Colorado. The pharmacy had allegedly disposed of documents containing the protected health information of 1,610 patients in an unlocked, open container, with no shredding of the documents prior to disposal. In addition, the pharmacy seemed to have no written policies or procedures in place as required under HIPAA, and had failed to train employees on compliant privacy practices. Cornell just recently reached a settlement agreement with OCR in March of this year. The settlement amount? $125,000—a significant sum for such a small-scale facility. The settlement also requires the Colorado pharmacy to develop and implement a new, comprehensive set of policies and procedures that comply with HIPAA’s Privacy Rule, including extensive staff training.
Cornell’s story echoes that of two New York hospitals that agreed last year to dispense $4.8 million in settlements after a data breach caused the protected health information of 6,800 individuals to be compromised. The data breach occurred when a physician attempted to deactivate a personal server, causing sensitive data to be released to the Internet in a searchable format. With these and numerous other stories from the past year that detail non-compliant medical facilities within the past year, only time will tell whether the number HIPAA complaints that the DHA receives per year is on a continuing upward trend.