Reviewing HIPAA enforcement data

As many of the twitterati already know there is an RFI from HHS for significant revisions to HIPAA, which is due Feb 12th 2019.

In many of the issues that are covered under the current RFI, I feel very strongly that the answer is “You must have more substantial enforcement” from the Office of Civil Rights (OCR). OCR is the office at HHS that is responsible for enforcement, and I have a tremendous appreciation for the work that they do, but they are getting more and more complaints each year and they are (IMHO) under-funded and under-staffed. I also think they are too focused on education and not enough on hard-core enforcement. But I also acknowledge that given the funding levels, a focus on education was probably more effective than a focus on strict enforcement. I would have made the same decision if I had been in their shoes.

So is enforcement going well or going badly? Well its hard to tell, since many of the critical HHS OCR enforcement data is out of date, and many of the released data does not reveal critical data points. (again, all IMHO). What does the enforcement data look like… what should it look like?

We will be discussing what should come next for the patient community, but before we get to far along, I wanted to try and share with the rest of the patient a tour of the enforcement data.

To start, I would familiarize yourself with the kind of enforcement that the OCR office is doing. There are two resources that I think are really informative for this:

  • The All Case Examples page gives summaries on what healthcare providers/payers etc did wrong and what changes they made that ultimately satisfied OCR. This is a good example of that it is like to get a “slap on the wrist” from OCR.
  • More serious issues result in Resolution Agreements which list when the OCR felt a fine was necessary. As you might expect the actions taken by the organizations here is much more clearly in the wrong.
  • Last I would look at the top five issues in investigate cases report. This is a good source of understanding what types of issues the OCR is commonly enforcing.

This last one we see our first “trend to note”:

For the first time in 2016, the top enforcement issue was not “impermissible uses and disclosures” (i.e. a covered entity released data that they should not have) but rather “Access” which means a patients right to access their own data.

We also find our first significant problem with the data. The last year that this data was updated was 2016. We really need to understand if this trend was continued in  2017 and 2018. 

I would prefer if we had numbers associated with this too. It makes a big difference if “Access” was the top issue and it was 90% of the cases they got, or if it was the top issue and it was 30% of the cases they got.

According to the HITECH act which was passed as part of healthcare reform by Obama, which amended HIPAA, HHS owes congress annual reports on HIPAA compliance efforts. This requirement can be read by following the link above and searching for “SEC. 13424.”.

I am confused by this, because from what I can tell, HHS has been submitting this report once every two years, and has not submitted anything since 2014. At least that is what this page says. Granted, most of the items that are required to be reported to Congress are available in the enforcement data section of the website. But why did they stop reporting to Congress. FWIW there is also a requirement to report Breach notification data to congress, and it seems like HHS is doing this the same way: Once every two years, stopped in 2014. It’s all very confusing.

Next, I think it is helpful to look at how OCR processes HIPAA complaints. For those of you who just love to dig in to huge documents, with very low payoff.. you can also read the current and historical versions of the enforcement rule.

Much of what follows was influenced by this thread from Erin Gilmer on twitter (GilmerHealthLaw). Essentially it is a quick summary of the overall enforcement highlights page from HHS OCR.

Since 2003, there have been 183,568 HIPAA complaints. This big number is further split out as following:

  • 26,296 investigated and resolved (58 of these resulted in fines, which totaled about $80 million dollars).
  • 11,573 OCR determined that no violation had occurred.
  • 30,323 times, OCR has reached a resolution without investigation.
  • 115,376 times OCR determined that a compliant was not eligible for enforcement.

Apparently, the reasons for determining that a compliant was not eligible were:

  • OCR lacks jurisdiction (i.e. not a HIPAA covered entity)
  • Compliant is untimely
  • Complaint is withdrawn
  • Activity is not a violation of HIPAA

I really wish I had numbers on each of the above. I want to know, for instance, how often patient complaints are ignored because they are made too late!.

Next we have the list of problems that OCR is encountering in the complaints listed from most to least frequent…

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Lack of administrative safeguards of electronic protected health information.
  • Use or disclosure of more than the minimum necessary protected health information.

This list is particularly important, because if we look back at the top five issues in investigate cases report we see that ‘Access’ is the number one issue in 2016. Why does it not make this list at all? Strange. We really need to know how many of each type of event is occurring trended per year.

Next, we get a list of the type of organization that is typically complained about, in order of frequency:

  • General Hospitals;
  • Private Practices and Physicians;
  • Outpatient Facilities;
  • Pharmacies; and
  • Health Plans (group health plans and health insurance issuers).

I wish we had numbers on these.. again it makes a so much difference if “General Hospitals” is #1 at 90% or at 20%.

Strangely there are actually two charts on how many complaints OCR receives. One that covers 2003 (partial) to 2015 and another that covers 2013 to 2016. Obviously, this needs to be made current until 2018. But it would also be awesome if the data did not conflict, specifically:

Year 2013-2016 data page 2003-2015 data page
2016 21381 missing
2015 17622 17643
2014 17819 18015
2013 12652 12825
2012 missing 10379
2011 missing 8987
2010 missing 8752
2009 missing 7586
2008 missing 8729
2007 missing 8221
2006 missing 7362
2005 missing 6866
2004 missing 6534
2003 (partial year) missing 3742

I think its a little weird that the numbers between the two pages do not add up. But maybe it’s just me. It does not seem like the numbers differ too much, I am much more interested in having current numbers than dithering about a few hundred complaints a year.

Next I would head over to the Enforcement Results by year. This is perhaps the best page to really understand what OCR is doing. It breaks the enforcement up into 5 charts. This whole page really should be just one big CSV file. I will probably make one… and add it in to this article later.. perhaps even a trend chart to see how enforcement is changing over time.

The State Attorneys General are allowed to enforce HIPAA since HITECH. And they are required to send notice to HHS when they do so. We need data to know how often this is happening and if it is effective.

What are the big takeaways? I think these count:

  • We are know that HIPAA complaints are increasing steadily each year.
  • It seems generally, like OCR is “resolving” more, but investigating less in the relative sense.
  • A very very small number of infractions result in financial penalties, but there are many cases were corrective action occurs of some kind.

It seems like the picture here is that OCR is the proverbial one-legged man in an ass kicking contest. They are, in fact, becoming more efficient over time, but it is because they are focusing on getting more people to do the right thing, and they are really not going after many of the very bad actors.