Health Information Privacy in the Digital Age: Where to Focus Enforcement Efforts

Information drives our economy, our education, our personal relationships, and our culture.  And health information is one of the most important and valuable assets in our brave, new, digital world.  Many tools allow us to leverage health information to improve our lives—social media provides us with opportunities to connect with family and friends about health issues; electronic health records allow our doctors to provide us with improved care and communication; the internet of things connects our devices to help us improve our healthy lifestyles; and big data may help researchers improve health outcomes for our nation.  At the same time, these important tools also create risks to the privacy and security of our health information. 

The HHS Office for Civil Rights enforces HIPAA, and, in OCR’s efforts to protect our health information, we are particularly confronted with the challenges posed by keeping health information private and secure in our digital world.  In order to help HIPAA covered entities and their business associates comply with the requirements of the HIPAA Privacy, Security, and Breach Notification Rules and to help our regulated community get out in front of problems before they amount to violations, OCR has, over the past two years, issued extensive guidance on a host of HIPAA issues, as well as created a special portal to provide technical assistance to those developing exciting new technologies that can improve health care outcomes.  For example, please visit http://www.hhs.gov/hipaa/for-professionals/index.html to access our guidance documents for regulated entities and FAQs and http://www.hhs.gov/hipaa/for-professionals/special-topics/developer-portal/index.html for our new developer portal. 

At the same time, OCR continues to maintain a robust enforcement program to hold entities accountable when compliance issues arise.  OCR just sent our Reports to Congress for 2013 and 2014 to Congress, which highlight all this important OCR work.  We’ve also updated our website to provide information on our enforcement work for 2015, as well.

As you’ll see from the Reports and from our updated website, most of the work that we do happens when we investigate breach reports and other reports of systemic noncompliance with HIPAA.  Further, in 2015 and 2016, we’ve entered into a record number of settlement agreements, which you can find here: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html, and OCR will continue to focus its enforcement efforts and its resources in this area on cases that identify industry-wide noncompliance, where corrective action under HIPAA may be the only remedy, and where corrective action benefits the greatest number of individuals.  We hope that our resolution agreements will provide a template for other health care entities to take the proactive steps necessary to ensure compliance with HIPAA requirements. 

We’ve also initiated Phase II of our Audit Program, which will enable us to target our technical assistance to emerging challenges, provide information about replicable practices, and correct problems before they ripen into HIPAA violations.  For more information about our Audit Program, please visit: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html. 

Moreover, OCR continues to be committed to reviewing each complaint that we receive from the public.  However, most complaints we receive don’t actually allege violations of HIPAA.  Further, many complaints we receive allege possible violations that may be very difficult to prove; for example, when evidence may be missing or doesn’t exist, witnesses may be no longer available to interview, or when the evidence is insufficient to sustain a case.   It’s hard for us not to be able to investigate every complaint, and we absolutely agree that every individual’s complaint is vital to that person.  But we, as a federal agency, must invest our very limited investigatory resources to maximize the benefit for the American public -- to get the most “bang for the taxpayers’ buck,” if you will.  As a result, where our annual data reveal recent reductions in, for example, numbers of cases investigated, the resources that might previously have been devoted to individual case investigations have now been redirected to more systemic enforcement activities.     

It’s also important to note that the health care industry is more diverse than any other industry in our economy; thus, we work to raise the compliance practices of all kinds of health care companies, particularly with regard to keeping health information secure, including to combat cyber-attacks, which has been Congress’s most recent charge to us.¹ Recent research shows that not only is health information more than ten times more valuable than credit card information,² but also victims of health information theft may not know that their information was stolen until years after the event.³ As a result, OCR is laser-focused on breaches occurring at health care entities, and any issues that lead to them.  OCR’s enforcement work now and in the recent past focuses on investigating the root causes of these breaches, which affect millions of individuals, rather than on individual complaints.  Much of the good work that OCR does ensures that entities take specific steps to correct security issues that lead to breaches with widespread impact. 

We will continue our vigorous efforts to provide guidance and technical assistance, as well as to maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.  We look forward to partnering with all stakeholders in this work and are confident that, together, we can meet the challenges ahead and ensure the privacy and security of health information.

For more information about OCR’s enforcement work over time, as updated annually, please visit: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html.

¹ See the Cybersecurity Information Sharing Act of 2015 (“CISA”): https://www.congress.gov/bill/114th-congress/senate-bill/754.

² See, e.g., http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924.

³ See, e.g., http://www.cnbc.com/id/101030634.