Last week the HHS Office for Civil Rights (“OCR”) presented certain findings regarding Health Insurance Portability and Accountability Act (“HIPAA”) compliance and enforcement to the National Committee on Health and Vital Statistics (“NCHVS”), an HHS advisory committee. The presentation reviewed OCR’s two recently issued reports to Congress. OCR is required to submit such reports under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The first report, “HIPAA Privacy, Security, and Breach Notification Rule Compliance,” examines the number and type of complaints received by OCR regarding HIPAA violations and the agency’s response. The second report, “Breaches of Unsecured Protected Health Information,” reviews breach notifications received by OCR and the agency’s response. The report also includes the agency’s first enforcement actions under the Breach Notification Rule.

The HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) govern (1) how a covered entity may use and/or disclose an individual’s protected health information (“PHI”) and the rights of individuals with respect to their PHI, (2) administrative, physical, and technical safeguards to protect electronic PHI, and (3) notification requirements if unsecured PHI is breached. Since April 14, 2003 (the compliance date for the Privacy Rule), OCR has received 77,190 complaints alleging violations of the HIPAA Rules. OCR investigated over 32,600 of those complaints. The agency resolved almost 22,500 cases by requiring HIPAA covered entities to take corrective actions and/or provided technical assistance to covered entities to resolve indications of noncompliance. Importantly, in 21 cases, OCR has resolved investigations through the execution of resolution agreements involving the payment of settlement amounts ranging from $35,000 to $2.25 million (and totaling over $20.8 million) and has imposed civil money penalties of over $4.3 million in one case.

Under the HIPAA Breach Notification Rule, HIPAA covered entities are required to report breaches of unsecured PHI to OCR, affected individuals, and in some cases, the media. HIPAA business associates are required to report breaches of unsecured PHI to covered entities. From September 23, 2009 to December 31, 2012, the agency received reports of 1,027 breaches affecting 500 or more individuals. These breaches affected the PHI of over 22.5 million individuals. OCR investigates all reported breaches affecting 500 or more individuals and may open compliance reviews into certain reported breaches affecting fewer than 500 individuals. The number one cause of breaches in 2011 and 2012 was theft.

As of the end of 2013, OCR had entered into resolution agreements with seven covered entities as the result of investigations in response to breach notifications submitted to OCR. These resolution agreements are the first settlements OCR has entered into based on investigations into notifications made under the Breach Notification Rule.

The HITECH Act also requires OCR to conduct periodic audits to ensure covered entities and business associates comply with the HIPAA Rules. OCR reports that “audits present a new opportunity to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.” OCR’s Audit Program is being conducted in phases. Phase I was an audit pilot program, which has been completed. We previously blogged about the pilot of Office for Civil Rights’ (OCR) HIPAA Privacy, Security and Breach Audit Program (HIPAA Audit Program) on November 30, 2011March 7, 2012, and June 26, 2012Phase II is currently in planning stages.

In its presentation to NCVHS, OCR outlined the agency’s continuing areas of concern. Those areas are: 1) risk analysis and risk management, 2) security and control of portable electronic devices, 3) proper disposal of PHI, 4) physical access controls, 5) training, and 6) lack of senior leadership attention/culture of compliance. OCR will likely continue to focus its ongoing investigations on these areas.