Consumer complaints on potential HIPAA issues are increasing

Individuals’ complaints about misuse of protected health information is on the rise, according to an official within the Office for Civil Rights.

The office, within the Department of Health and Human Services, is on track to receive from 27,000 to 28,000 complaints this year, according to Nicholas Heesters, who works within OCR supporting HIPAA compliance and enforcement activities.

However, the vast majority of the complaints are resolved quickly, and providers generally are not found to be at fault, said Heesters, speaking last week during a packed session at the American Health Information Management Association conference in Miami.

“Corrective action is only required for a small percentage of them,” he said. “We have to determine whether it’s a valid complaint—sometimes, it’s not a HIPAA issue and not something within OCR’s jurisdiction. We’ve been noticing folks filing more complaints—people seem to be more cognizant of protecting their health information. They expect that organizations will protect their information.”

HDM-110917-breach.png

While portals give consumers more access to their health information, it’s also heightened awareness and concern about the ease with which protected health information can be accessed, Heesters said. Consumers increasingly have been concerned about activity within their records that they can see on the portal, and they’re likely to contact providers for an explanation. If they don’t get a response, they’re likely to seek OCR intervention, he added.

OCR data from April 2003 to June 30 of this year shows a total of 184,000 complaints. Of those, 26,000 were resolved with some type of required corrective action after an investigation or request to providers for more information.

“When we do investigations, in the vast majority of cases, we’re able to work with entities to get compliance,” he said.

In a total of 55 high-profile cases, however, OCR has had to resort to resolutions that require corrective action plans and civil monetary penalties. “These get a lot of press when they come out, and we really only go there for more egregious actions,” Heesters said. “We generally work with entities to bring them into compliance in a reasonable way, but sometimes, that doesn’t work out.”

Heesters recommended several steps as best practices to reduce incidents of consumer complaints and the potential for data breaches:

• Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.

• Risk analysis and risk management should be integrated into business processes; reviews should be conducted regularly when new technologies and business operations are planned.

• Dispose of protected health information on media and paper that has been identified for disposal in a timely manner.

• Incorporate lessons learned from incidents into the overall security management process.

• Provide training specific to the organization and job responsibilities and, on a regular basis, reinforce workforce members’ critical role in protecting privacy and security.

For reprint and licensing requests for this article, click here.