Last week, the National Institute of Standards and Technology (“NIST”), in conjunction with the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”), hosted a conference entitled “Safeguarding Health Information: Building Assurance through HIPAA Security.” Both OCR officials and others within the industry spoke regarding HIPAA developments. Perhaps the most anticipated presentation at the conference was the OCR Update, delivered by Iliana Peters, Senior Advisor for HIPAA Compliance at OCR.
During her talk, Ms. Peters summarized the types of Breaches reported to OCR over time. As of August 31, 2014, the most common cause of a reported Breach was theft, which accounted for 51% of reported Breaches. The next leading cause was unauthorized use or disclosure of Protected Health Information (“PHI”), which accounted for 18% of reported Breaches. As of the same period, the most common location of a Breach was a laptop, which accounted for 22% of reported Breaches. The next most common location was paper records, which accounted for 21% of reported Breaches.
Ms. Peters also described recent complaint and enforcement statistics. Specifically, she discussed a trend of increased HIPAA related complaints. OCR received 9,022 HIPAA complaints in 2011, 10,454 HIPAA complaints in 2012, and 12,915 HIPAA complaints in 2013. HIPAA enforcement actions have also been occurring at a high rate. Between September 2009 and August 31, 2014, OCR received 1,176 reports of Breaches that affected 500 or more individuals and over 122,000 reports of smaller Breaches. And in 2013, OCR conducted a total of 4,463 investigations, 3,470 of which resulted in corrective action.
Perhaps of most interest to many parties in attendance, Ms. Peters shared some additional information regarding OCR’s upcoming HIPAA audit program. Specifically, OCR anticipates notifying audit targets and initiating document requests in fall 2014. Ms. Peters emphasized that auditors will not follow up with targets for clarifications, and thus it is vital that entities submit accurate and complete documentation upon initial request. Additionally, Ms. Peters said that audits will serve as an enforcement tool for OCR, which marks a departure from OCR’s 2012 audit pilot program in which audits and enforcement actions were separate.
We will continue to provide updates regarding OCR’s upcoming HIPAA audit program as they become available.