Health Information Management

OCR issues breach and compliance reports to Congress

HIM-HIPAA Insider, June 30, 2014

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

by Jaclyn Fitzgerald, Editor

OCR recently sent two annual reports to Congress that summarize 2011–2012 HIPAA breach and compliance activities as required by the HITECH Act.
OCR received 236 reports about breaches affecting 500 or more individuals in 2011, according to OCR's Annual Report to Congress on Breaches of Unsecured Protected Health Information. These breaches affected approximately 11,415,185 individuals. OCR received 222 reports about large breaches in 2012. Although the number of reportable breaches affecting 500 or more individuals in 2012 decreased only slightly, the overall number of individuals affected dropped to 3,273,735. Although OCR focused primarily on 2011–2012 breaches, it included some data as far back as 2009. In total, OCR received 710 reports affecting 22.5 million individuals from September 23, 2009, to December 31, 2012.
The top causes of 2009–2012 breach incidents include theft, loss, and unauthorized access/disclosure. For 2011 and 2012 only, the report cited six causes, including theft, loss, unauthorized access/disclosure, improper disposal, hacking/IT incident, and unknown/other. Theft was the leading cause accounting for 49% of 2011 breaches and 52% of 2012 breaches. Unauthorized access/disclosure came in at second place for 2011 (19%) and 2012 (18%).
Healthcare providers submitted the majority of breach reports in 2011 (63%) just as they did in 2012 (68%). The majority of PHI that was exposed in 2011 breaches was on paper (27%) or laptop computers (20%). In 2012, breaches of PHI on paper and on laptop computers took the lead once again but this time with nd laptop computers in the top spot at 27% and paper trailing behind at 23%.
Since the end of 2013, OCR entered into resolution agreements with seven covered entities for the 458 breaches that occurred 2011–2012. These are the first OCR settlements brought about by investigations into reported breaches.
OCR’s Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance provides enforcement data through 2012 with particular focus on 2011–2012. Since the 2003 HIPAA Privacy Rule compliance date, OCR received 70,259 complaints for alleged HIPAA violations and had resolved 91% of these complaints as of December 31, 2012. OCR issued corrective action for 66% of the 27,466 HIPAA complaints investigated since 2003. The number of new complaints rose to 9,022 in 2011 with 8,363 complaints resolved. This number increased again in 2012 when OCR received 10,454 complaints and resolved 9,408.
The majority of issues investigated since the Privacy Rule compliance date were due to the following:
  • Impermissible uses and disclosures of PHI
  • Lack of safeguards of PHI
  • Denial of individuals’ access to their PHI
  • Uses or disclosures of more than the minimum necessary PHI
  • Lack of administrative safeguards of ePHI

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular