The number of fines from the Office of the Civil Rights (OCR) of the Department of Health and Human Services for HIPAA violations seems to be disproportionately low, according to a recent ProPublica article. Charles Ornstein writes that only 22 penalties have been issued by that organization since 2009, even though there have been more than 1,400 breaches during this time.
Ornstein's information comes in part from the Office's website itself, which lists the many recorded breaches going back to October 21, 2009. These incidents include various kinds of physical materials that were breached, including laptops, papers, emails and network servers.
Multiple experts and industry professionals Ornstein mentions reference the overwhelming amount of work that the OCR has to deal with, as well as a low number of staff, as a chief reason why oversight of breaches has been so low despite an increase in activity.
New possible violations are still arising. A local Wisconsin news source reported on a breach at the Medical College of Wisconsin late last month, in which information relating to hundreds of individuals was jeopardized after a single document was stolen. In a statement, the college said that the breach took place on February 15 and that they "have taken steps to prevent this type of event from reoccurring."
While government agencies grapple with funding and policing issues, the threat of further HIPAA violations is still real for many healthcare stakeholders. By turning to providers of HIPAA compliance services, providers and others that are concerned about staying within the government's rules will have assistance for the specific issues they need to focus on. Experience in this field is needed to make the right changes to security policies for medical entities.