Brief Your CEO: New OCR Data Shed Light on the Costs of Privacy Noncompliance

Getting lab officers to shell out money for compliance initiatives may be trickier when the penalties you’re trying to head off are for privacy violations. After all, HIPAA penalties tend to be fairly modest compared to those handed out for False Claims Act (FCA), kickbacks and other health care fraud laws. But that shouldn’t dissuade you, even though HIPAA enforcement is much less of a government cash cow than FCA and kickback enforcement, it remains an ongoing challenge. And when labs and other providers do get busted, it takes a lot of money out of their pockets and into the hands of the federal government.

Making the Business Case for HIPAA Compliance

As a lab compliance officer, you face the challenge of making this case to your CEO and/or CFO. Unfortunately, tracking the economics of HIPAA enforcement is relatively tricky because the government doesn’t publish data on HIPAA recovery amounts the way it does with the FCA. However, new data from the HHS Office of Civil Rights (OCR) has recently emerged that offers some rare insight into the dollars and cents of HIPAA enforcement over the past two decades. Here are some of the key figures, which encompass April 2003, when HIPAA first began being enforced, through 2020, that you want to run past your lab officers:

• $129,722,482: Total amount of civil penalties and settlements collected by OCR for HIPAA infractions;
• $26 Million: Highest one-year total collected in past five years (2018);
• $12 Million: Lowest one-year total collected in past five years (2019);
• $16 Million: The highest ever settlement for a HIPAA violation, paid by Anthem in 2018 for a massive 2015 data breach affecting 79 million people;
• 250,367: Total number of HIPAA complaints received by OCR;
• 3,992: Number of HIPAA complaints that remain open (2 percent of total complaints filed); and
• $129,722,482: Total amount of civil penalties and settlements collected by OCR for HIPAA infractions.

Top 5 HIPAA Complaints

The OCR report also lists the top 5 most frequent reasons that people file HIPAA complaints:

1. Impermissible use or disclosure of an individual’s protected health information (PHI);
2. Lack of adequate safeguards for PHI;
3. Lack of patient access to their PHI;
4. Lack of proper administrative safeguards for electronic PHI; and
5. Use or disclosure of more than the necessary amount or type of PHI.

Takeaway

From a lab compliance officer’s perspective, perhaps the most meaningful number listed in the OCR report is 69, which is the percentage of HIPAA complaints that have resulted in a corrective action being taken against a provider. In other words, nearly 7 in 10 HIPAA complaints result in a fine and/or imposition of a corrective action. That’s a factoid you might want to cite to your lab officers the next time you encounter resistance to HIPAA compliance initiatives.