HHS’ OCR Rarely Levies Fines for Security Breaches, Data Show
March 2, 2015 in News
HHS’ Office for Civil Rights has rarely levied financial penalties against health care organizations that have reported breaches of patient privacy, according to a ProPublica investigation.
The 2009 HITECH Act requires health care organizations to publicly report data breaches that affect a minimum of 500 individuals. In addition, the law increased the amount OCR can fine health care organizations that violate patient privacy to reach $1.5 million per violation and required the agency to conduct audits.
In November 2013, HHS’ Office of Inspector General HHS’ OCR for not performing the audits required by the HITECH Act.
According to ProPublica, health care organizations since October 2009 have reported:
- More than 1,140 large breaches affecting more than 41 million individuals; and
- More than 120,000 small breaches, affecting fewer than 500 people each.
However, the office agency has levied just 22 fines during that time period.
In addition, the report noted that the agency in some cases takes several years to levy fines. For example, the office imposed an $800,000 fine against Parkview Health System for an incident involving the breach of 5,000 to 8,000 patients five years after the incident was reported.
Further, some organizations that the office is currently reviewing for data breaches say they are unaware of the statuses of the investigations.
Bob Chaput — CEO and founder of Clearwater Compliance, a company that helps organizations protect private data — said it is “disappointing and underwhelming” that OCR has levied the fines so rarely, adding, “They’re not doing as much as they could or should.”
However, other industry experts say OCR is trying to strike a balance between enforcing the laws and helping health care organizations to improve their security. For example, Joy Pritts, former chief privacy officer at the Office of the National Coordinator for Health IT, said, “What you don’t want [OCR] to become is somebody like your parking enforcement where they’re funding themselves by issuing tickets or fines to everybody who has the smallest infractions.”
In addition, some data security experts say the agency does not have the resources needed to manage its oversight tasks.
OCR declined a ProPublica interview request, but in a statement said that the office “aggressively” finds and investigates “high-impact cases that send strong enforcement messages about important compliance issues.” It noted that cases in which fines have been levied “involved systemic and/or long-standing” issues (Ornstein, ProPublica, 2/27).