Is the agency that enforces HIPAA doing enough to make sure that organizations that have had multiple smaller health data breaches are taking steps to improve security?
A recent year-long investigation by not-for-profit journalism organization ProPublica found that hundreds of covered entities - ranging from the U.S. Department of Veterans Affairs to retail pharmacy CVS - have had many smaller breaches as well as HIPAA noncompliance complaints reports filed to the Department of Health and Human Services over the last few years with little or no consequences.
"If entities are out there thinking we are asleep at the wheel, then they need to wake up because we are not asleep at the wheel."
For instance, in analyzing HHS' Office for Civil Rights' data, ProPublica found that between 2011 and 2014, CVS had more than 200 HIPAA complaints as well as smaller breaches affecting fewer than 500 individuals each.
But to date, OCR has issued only one enforcement penalty against CVS, and that was back in 2009. In that case, an OCR resolution agreement with CVS over a case involving improperly disposed pharmacy records and bottles in dumpsters in 2006 and 2007 called for the retail chain to pay a $2.25 million fine and implement a corrective action plan.
Of the 28 resolution agreements that OCR has signed since 2008, only one has stemmed from a data breach impacting fewer than 500 individuals. That was a settlement in December 2012 with The Hospice of North Idaho for a case involving a stolen unencrypted laptop. The breach that kicked off OCR's HIPAA investigation of the hospice affected 441 individuals. The resolution agreement included a corrective action plan and $50,000 financial penalty.
In an interview last September, Deven McGraw, OCR's new deputy director of health information privacy, told me that the office pays attention to HIPAA breaches large and small, but the larger incidents that get listed on OCR's infamous "wall of shame" website get more scrutiny.
"We investigate every breach of more than 500 records, and look at a lot of breaches that are under 500 records, and we respond to complaints that people have filed about HIPAA violations," she said. "We have an enforcement infrastructure in place to both look at these and investigate them, and if entities are out there thinking we are asleep at the wheel, then they need to wake up because we are not asleep at the wheel. Counting on not getting caught, counting on not getting audited - business associates will be part of the next phase audit program - probably is a risky strategy. "
But even before the ProPublica analysis, OCR's handling of smaller breaches and complaints had been under scrutiny by government watchdog agencies.
In a September 2015 report evaluating OCR's follow-up on breaches reported by covered entities, HHS' Office of Inspector General reported that OCR did not record information about smaller breaches in its case tracking system, limiting OCR's ability to track and identify covered entities with multiple small breaches. OIG also found that OCR investigators often miss breach patterns indicating repeat offenders (see OIG: HIPAA Enforcement Activities Need a Boost).
OIG made several recommendations to OCR on how to improve its handling of breach cases, including oversight of small incidents. That included recommending that OCR enter information about small breaches into its case-tracking system or a searchable database linked to it. The report notes that OCR agreed with all of OIG's recommendations.
OCR did not reply to my request for comment on its plans to improve scrutiny of smaller breaches and repeat offenders.
But given the long list of tasks on OCR's to-do list for 2016, including issuing HIPAA guidance on cloud computing and other subjects; developing a new HIPAA audit protocol that pertains to business associates; and launching phase two of the long-delayed audit program, it's questionable whether OCR will be able to stretch it's already skimpy resources to focus more attention on the thousands of smaller breaches and HIPAA complaints that get filed every year.
"I do think that the Office for Civil Rights is stretched very thin investigating the large breaches and growing the proactive audit program of both covered entities and business associates," independent privacy attorney Susan Miller tells me. "OCR should give the smaller breaches more time and attention. It is important that the entities that have small breaches also need to be fined if the problem that caused the breach is significant. Just because the breach is small does not mean that the entity that had it should not be accountable for the event."
Miller recommends that OCR consider creating administrative boards with hearing officers in all 10 of its regions. "If each small breach report was significant enough, the board could fine the breaching entity, covered entity or business associate, a small fine, say $1,000," she says.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who formerly worked at OCR, contends that the HIPAA enforcement agency should be resolving a greater number of egregious cases through financial settlements.
"I expect that OCR feels the same way but is constrained by its resource limitations," he says. "But I also hope that OCR continues to resolve most cases through voluntary corrective action, especially cases where an organization made reasonable efforts to comply with the law but an employee went 'rogue,' or where there was genuine confusion regarding what the law requires."
Greene says he'd like to see more transparency about smaller breaches. "Right now, the only information we get is in the reports to Congress or in OCR presentations. It would be great to have regularly updated information regarding what types of small breaches OCR is seeing and what types of entities are reporting these small breaches."
So what's your critique of OCR's enforcement efforts? We invite you to share your views in the space below.