Last month, PHIprivacy.net raised the question as to why we have seen no monetary penalties or strong enforcement actions by either OCR or the FTC when it came to cases of insider data theft for tax refund fraud schemes.
As I commented in that post:
Insider data theft is a serious problem with serious consequences to patients. Isn’t it about time OCR and/or FTC sent a strong message to covered entities that failure to prevent and/or detect insider data theft will lead to hefty penalties? Actually, isn’t it long past the time that they should have started doing this?
As I also noted in that post, I reached out to HHS for confirmation or denial of my observation of lack of monetary penalties or enforcement.
In response, Rachel Seeger of HHS wrote:
OCR refers these types of cases to the Department of Justice for criminal enforcement. As such, you will see them counted under DOJ referrals in our monthly statistics.
But DOJ only prosecutes the criminals. But what does OCR do about enforcing HIPAA in terms of the covered entity? How many insider breaches can a covered entity have and still not incur any monetary penalty or significant consequences from HHS/OCR for failure to prevent and/or quickly detect insider breaches under the HIPAA Security Rule?
On September 22, I wrote back to HHS, seeking clarification and writing, in part:
… does your previous answer means that OCR has never – and never will – impose a monetary penalty on a CE for that type of situation because the cases will just get referred to DOJ with no further investigation/action by OCR?
HHS never responded to that follow-up inquiry.
Obviously, it’s appropriate for OCR to refer cases for criminal prosecution. But that doesn’t explain why we haven’t seen strong enforcement action by OCR that sends a message to covered entities about preventing and quickly detecting insider data theft for tax refund fraud schemes.
If HHS/OCR won’t send a strong message by imposing a monetary penalty, will FTC get involved to protect patients by taking on one of these cases and putting a covered entity under 20 years of monitoring for data security? When I think about the FTC’s enforcement cases on data security and the risk of harm to consumers from data theft for tax refund fraud, would this be a good use of their resources?