Action Plan Blue

OCR Has Collected Almost $80 Million Through Enforcement

The Office for Civil Rights (OCR) has been busy enforcing HIPAA since the Privacy Rule came into effect in 2003. OCR has settled or imposed a civil money penalty in 55 cases resulting in a total dollar amount of $78.8 million in the last fifteen years. Many other investigations resulted in corrective action plans or technical help to bring the covered entity or business associate into compliance. Many simply didn’t have the tools to begin with.

OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

The Big Issues

The compliance issues investigated most are, in order of frequency:

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Lack of administrative safeguards of electronic protected health information; and
  • Use or disclosure of more than the minimum necessary protected health information.

A “HIPAA Compliant” EHR Program is Not Enough

Four out of the five issues named are not centered around electronic records but are related to the overall approach that depends on a “culture of compliance” within an organization. Do staff understand what kind of use or disclosure is permissible? Is the workforce trained in the meaning of the minimum necessary standard? When patients request their own PHI, do they receive it in a timely fashion?

A Complete Approach

The HIPAA E-Tool® has it all. Every Policy, Procedure and Form for the Privacy, Security and Enforcement Rules, a Risk Analysis module, and Workforce Training to help staff understand what they need to know to maintain a culture of compliance. Take action now to get in front of the issue, and don’t get caught short in case a complaint or investigation comes your way.

For more information see the Department of Health and Human Services Enforcement Highlights here.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2019 The ET&C Group LLC.
The HIPAA E-Tool® is a registered trademark of The ET&C Group LLC
Terms of Service | Privacy Policy