By Daniel J. Solove
ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.
A Sustained and Vigorous Critique of OCR HIPAA Enforcement
A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”
Another ProPublica article about HHS enforcement goes into depth about how smaller HIPAA violations are often not sanctioned:
Even when small privacy violations have real consequences, the federal Office for Civil Rights rarely punishes health care providers for them. Instead, it typically settles for pledges to fix any problems and issues reminders of what the Health Insurance Portability and Accountability Act requires. It doesn’t even tell the public which health providers have reported small breaches — or how many.
A recent article from ProPublica chastises HHS for not doing enough to enforce against organizations that have had many HIPAA violations:
The data analyzed for this story shows the problem goes beyond isolated incidents, carrying few consequences even for those who violate the law the most.
“The patterns you’ve identified makes a person wonder how far a company has to go before HHS recognizes a pattern of noncompliance,” said Joy Pritts, a health information privacy and security consultant who served as chief privacy officer for HHS’ Office of the National Coordinator for Healthcare Information Technology until last year.
Pritts said the government is supposed to take into account a health provider’s prior track record of following the law when deciding whether to pursue fines for privacy violations. “You have to ask whether that’s happening,” she said.
The article goes onto list organizations with the most offenses, some with hundreds. According to the article, the U.S. Department of Veterans Affairs (VA) “was the most persistent HIPAA violator in the data. Time and again, records show, VA employees snooped on one another and on patients they weren’t treating. . . .All told, VA hospitals, clinics and pharmacies violated the law 220 times from 2011 to 2014.” Despite these violations, the “VA has never been called out publicly by the Office for Civil Rights or sanctioned for its string of violations.”
HIPAA complaints have been on the rise lately, as this chart below demonstrates:
One reason for the minimal OCR enforcement is that OCR has limited resources. One ProPublica article notes:
While it can keep whatever fines it imposes to use for enforcement, it has fewer than 200 employees and a budget of just $39 million. Its duties, by comparison, are vast: Each year, it handles over 4,000 discrimination complaints, reviews 2,500 Medicare provider applicants to see if they are complying with federal civil rights requirements, and resolves more than 15,000 complaints of alleged HIPAA violations.
A reason for not going after smaller HIPAA violations is that OCR is focused on the big data breach cases. According to one article: “Deven McGraw, deputy director for health information privacy at the Office for Civil Rights, said the agency’s top priority has been investigating breaches that affect at least 500 people, which providers are required by law to report promptly.” The article notes that McGraw would “like to see us doing more” about repeat offenders.
When Should OCR Issue Penalties?
OCR has been rather Spartan with the penalties, only starting to use a more penal enforcement regime after the HITECH Act of 2009. Since then, there have been about 30 cases with monetary penalties – which is a very small number considering the number of HIPAA complaints.
I don’t believe that every HIPAA violation warrants a penalty – even organizations that have repeated violations. At very large organizations, there will always be employees who violate HIPAA. These employees should be disciplined or fired, and it’s not always an organization’s fault that some bad apples work there.
But there are instances when organizations contribute to the bad apples by not adequately training people and not adequately disciplining people. It is true that the bigger the organization, the greater the risk that there will be some HIPAA violations, but there are large organizations that do not have large numbers of violations. It’s not just a difference of luck.
What OCR should look for is whether an organization is devoting sufficient time and resources into HIPAA compliance.
As Deven McGraw says, quoted in one article: “Often, when we take a look into those breaches, what we find is that they were not accidents. . . What contributed to the breach of thousands, if not tens of thousands of records, was systemic noncompliance … over a period oftentimes of years.”
A number of organizations have a check-box compliance program, just mouthing the right words, having poor training that nobody pays attention to. The resources just aren’t devoted to really build a culture of compliance. This is where OCR most needs to step in.
I am not a fan of overly technical enforcement – what might be called “gotcha enforcement.” Organizations must be given some latitude. They can make mistakes. They can have an errant employee. They don’t need to be perfect. But they must take HIPAA compliance seriously – and that means more than a check-box compliance program.
The ProPublica article series is worth a read. Although the stories are quite critical of OCR enforcement, they present the various sides to each story, and are quite in depth and nuanced. They definitely present a lot of food for thought.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.