If you haven’t read it already, do read Theresa Defino’s excellent report from HCCA Compliance’s Report on Patient Privacy on JDSupra. It may be one of the most interesting — and most frustrating — reports I’ve read about OCR investigations.
Why did I find it frustrating, you might wonder? Because of the lack of any actual body of enforcement actions on security rule violations.
So here’s an example of what they might consider a “high impact” case — drawn from my files, not their investigator’s comments in the report:
In July, 2018, this site investigated allegations that Holland Eye Surgery & Laser Center had knowingly covered up a hack and exfiltration of patient data that occured in June, 2016. The investigation uncovered evidence that supported the allegations: police reports filed by the covered entity itself with the police in July, 2016 that indicated that they had been sent samples of patient data and an extortion demand. Yet in public notice, they claimed they had no idea until March, 2018.
This site filed a watchdog complaint with OCR over the entity’s failure to disclose the breach to patients or to OCR, especially since the threat actor had notified them that he was selling patient data on the dark web.
It was circa July, 2018 that the complaint with OCR was filed.
There has been no closure of the investigation yet.
Wouldn’t it behoove OCR to vigorously enforce the notification requirement when it has evidence of willful noncompliance? Even if they decided to cut the covered entity some slack or accepted some “explanation” the covered entity may have offered them, this type of situation calls for enforcement/monetary penalty and not just a technical assistance letter.
This site has filed other complaints against other entities with OCR alleging violations of the security rule. In some cases, OCR has notified me that they have folded my complaint into the investigation they were already doing of the entity and that they will let me know when that is completed. In one case, they told me that they dropped a matter because the entity had dissolved their business. But they actually could have pursued it even after closure — especially since if they checked, they would discovered that the business is still operating.
OCR definitely needs more subject-matter experts when it comes to evaluating some complaints under the security rule. But they also need to realize that until they take enforcement action and publicize it, entities will continue to take risks and not worry so much about compliance if they think all they are likely risking is a technical assistance letter.