OCR said it received only 421 complaints in its HIPAA privacy enforcement program in November 2008 for a total of 40,669 complaints since the program started in April 2003. OCR received 656 complaints in October.
Of the 11,355 complaints that fell within OCR’s power to act, 7,570 required corrective actions by the covered entity. The remaining investigations 3,785 did not uncover a HIPAA violation.
In other words, about one-third of the complaint investigations uncovered no violation.
About 18.6% of total complaints resulted in changes in the policies and procedures of the covered entities in November.
After five years, HHS still has not imposed a civil penalty. HHS pointedly did not impose civil monetary penalties in its agreement with Providence Health (08/08 HIP/SA, p.1) That enforcement action, according to industry observers, mimicked the FTC’s approach to data security issues.
Moreover, the facts of the case indicate that Providence was held accountable for HIPAA security violations rather than privacy violations.
OCR said that it resolved more than 80% of all complaints received. However, that percentage also includes the sizeable number of complaints that did not fall within HHS’s jurisdiction or for some technical reason about two thirds of total complaints.