November 3, 1999 HIPAA Announcement:

Government News on HIPAA Privacy Complaints

09/24/03

Any notion that patients would take a cavalier attitude about the HIPAA privacy rule is apparently ill-founded because HIPAA privacy enforcers already have received 1,800 complaints of privacy violations.

That's up from the June figure of 600 complaints reported by OCR Director Rick Campanelli in an interview.

Susan McAndrew, senior adviser at the HHS Office for Civil Rights, which enforces the privacy rule, said at this week's Seventh National HIPAA Summit in Baltimore that about 30% of the cases were closed, either because they were resolved or fell outside OCR jurisdiction (e.g., they pertained to practices that predated the April 14 effective date of the privacy rule or the alleged offenders weren't covered entities.) Some complaints have been referred to the Department of Justice for possible criminal prosecution.

Most of the complaints came from patients. The complaints included allegations that

(1) providers failed to provide access to records;

(2) other people knew medical information about the patients, which they thought was leaked by the provider inappropriately;

(3) protected health information (PHI) was visible in providers' offices; and

(4) providers spoke too loudly, and bystanders overheard PHI.

Otherwise, McAndrew said OCR is pleased with compliance efforts it has seen so far. OCR has not imposed any fines or other monetary penalties yet. OCR investigations are typically conducted by telephone, and problems have often been corrected through informal corrective action plans with covered entities.

Reprinted from the 9/18/03 issue of Report on Medicare Compliance.