The following is cross-posted from PHIprivacy.net:
Dennis Melamed provides monthly HIPAA complaint statistics based reports by the HHS Office for Civil Rights (OCR).
It seems that not only did breach reports in general decline in 2009 relative to 2008, but privacy and security complaints to HHS also declined. Melamed reports:
OCR received 7,116 complaints in 2009, a sharp decline from the 8,526 received in 2008 and 8,174 received in 2007. In 2006, OCR received 7,334 complaints.
Keeping in mind that some of us expected to see an increase in breach reports due to the new disclosure and notification provisions in HITECH, what are we to make of this?
Melamed reports that OCR did not provide any reasons for the decline with its statistics. But while interpreting a decline in non-HIPAA breach reports is somewhat muddled by an array of factors that could account for the decrease, decreases in HIPAA reports should be more straightforward to interpret because the law did not change in any way that would decrease reporting, and if anything, should have increased reporting.
So what is going on here? Are fewer people filing complaints because they have other priorities right now like the economy? Is it that some covered entities do not appear to realize that the law applies to them? Are covered entities deciding not to report and just risking the consequences because notification costs and breach costs are prohibitive when they are already struggling financially? If so, keep in mind that although states have fined individuals and entities for violations of HIPAA (cf, here and here for recent examples), HHS has not imposed any civil penalties for any breach.
Or is it the case that HIPAA-covered entities doing a better job of protecting privacy and hence, there are fewer incidents?
What do we make of the decline in reports?