The U.S. Department of Health and Human Services' Office for Civil Rights has submitted a report (pdf) to Congress on HIPAA compliance that reveals the most common privacy compliance issue investigated from April 2003-Dec. 2010 was impermissible uses and disclosures of protected health information.
The "Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010" summarizes compliance with HIPAA, complaints received by HHS of alleged violations of the HITECH Act or HIPAA rules and HHS' responses to complaints.
From April 2003, the compliance date of the HIPAA Privacy Rule, to Dec. 2010, the most common compliance issues with the Privacy Rule that the OCR investigated were the following, in order of frequency:
1. Impermissible uses and disclosures of PHI.
2. Lack of safeguards of PHI.
3. Denial of individuals' access to their PHI.
4. Uses or disclosures of more than the minimum necessary PHI.
5. Inability of individuals to file complaints with covered entities.
From April 2005, the compliance date of the HIPAA Security Rule, the most common areas for which entities failed to demonstrate adequate policies and procedures or safeguards, as required under the HIPAA Security Rule, include the following, listed by frequency:
1. Response and reporting of security incidents.
2. Security awareness and training.
3. Access controls.
4. Information access management.
5. Workstation security.
CMS Should Finalize Operating Rules for HIPAA Transaction Standards, AHA Says
Lag in HIPAA 5010 Preparation Does Not Bode Well for ICD-10
The "Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010" summarizes compliance with HIPAA, complaints received by HHS of alleged violations of the HITECH Act or HIPAA rules and HHS' responses to complaints.
From April 2003, the compliance date of the HIPAA Privacy Rule, to Dec. 2010, the most common compliance issues with the Privacy Rule that the OCR investigated were the following, in order of frequency:
1. Impermissible uses and disclosures of PHI.
2. Lack of safeguards of PHI.
3. Denial of individuals' access to their PHI.
4. Uses or disclosures of more than the minimum necessary PHI.
5. Inability of individuals to file complaints with covered entities.
From April 2005, the compliance date of the HIPAA Security Rule, the most common areas for which entities failed to demonstrate adequate policies and procedures or safeguards, as required under the HIPAA Security Rule, include the following, listed by frequency:
1. Response and reporting of security incidents.
2. Security awareness and training.
3. Access controls.
4. Information access management.
5. Workstation security.
Related Articles on HIPAA:
HHS Reports Data Breaches of Protected Health Information in 2009-2010 to CongressCMS Should Finalize Operating Rules for HIPAA Transaction Standards, AHA Says
Lag in HIPAA 5010 Preparation Does Not Bode Well for ICD-10