Dive Brief:
-
The Department of Health and Human Services' Office for Civil Rights (OCR), which is tasked with enforcing the HIPAA patient privacy law, receives more than 30,000 reports of privacy violations every year.
-
Despite the high volume of breaches occurring, most enforcement is directed toward the massive hacking cases that involve the data of thousands of patients, even though the damage in such cases is often hypothetical, with little damage actually demonstrated.
-
As NPR reports, the most damaging breaches are often the ones that only target one person at a time, such as when a healthcare professional divulges details about an acquaintance that impact the patient's reputation, such as disease status, suicide attempts, births and birth control history. Such cases regularly spark legal fights across the U.S.
Dive Insight:
Federal officials appear to be taking mixed positions on the issue.
On the one hand, the OCR defends its practice in which it levies few consequences, and generally "resolves" such disputes by issuing providers reminders of HIPAA's requirements and obtaining promises to fix the issue that led to the breach.
OCR Director Jocelyn Samuels told NPR the agency will pursue formal sanctions when warranted, but sees its primary role as helping providers to follow the law. "Our preference is always to promote voluntary compliance," she said.
However, this fall the HHS criticized the OCR's method of handling small breaches, due to its failure to investigate them or to log them into a tracking system, making it impossible to flag repeat offenders, NPR notes.
Samuels responded the OCR would implement recommendations to improve oversight.
Even so, however, HIPAA law does not allow victims to sue for damages over privacy violations; those seeking recourse need to find "another cause of action," for which difficulty varies by state.