On May 12, the Office for Civil Rights ("OCR") posted new information on its website regarding the agency's resolution of HIPAA privacy complaints and investigations during the first five years of HIPAA enforcement. While the data was new, it confirmed several familiar themes in HIPAA privacy enforcement:
1. Sixty-five percent of HIPAA complaints (16,528 of the 25,536 complaints filed between 2003 and 2007) were resolved after the initial intake and review stage. Most HIPAA complaints are resolved by OCR after receipt of a single response letter from the covered entity that is the subject of the complaint.
2. Of the cases that were referred for further investigation and review, OCR took "corrective action" 6,418 times and found "no violation" 2,690 times. OCR fails to explain what sorts of "corrective actions" it is taking.
3. OCR still has not imposed civil money penalties on a covered entity for a HIPAA privacy violation. Clearly, OCR's "corrective actions" have stopped short of the imposition of fines.
4. The total number of annual HIPAA privacy complaints has steadily risen each year, from 1, 508 in 2003 to 7,176 in 2007.
Given the continued rise in HIPAA privacy complaints, it is surprising that OCR has yet to find a violation meriting the imposition of penalties. Not that HIPAA covered entities are complaining …