Skip Navigation

HIPAA Compliance Waining from Lack of Enforcement

Bookmark and Share

The June 5, 2006, Washington Post reports that the Department of Health and Human Services' Office of Civil Rights (OCR) has received over 19,000 complaints regarding medical privacy violations, but the department has only prosecuted two criminal cases and has not issued one fine against any individuals or companies.

Seventy-three percent of the over 19,000 complaints have been closed by the agency, and accused physician practices, hospitals, and health plans have simply been allowed to correct the problems that led to wrongly revealed patient data.

The OCR has the authority to issue fines of $100 per violation up to $25,000 in fines against providers that leak private data, and criminal violations can be prosecuted by the U.S. Department of Justice, which can lead to penalties up to $250,000 and 10 years in jail.

Many critics and lawmakers argue that by not prosecuting or issuing fines against these health care providers, the agency has sent a message to providers that lax compliance will be tolerated.

While HIPAA does not mention one word about shredding, the requirement to guard against unauthorized access to protected health information has been one of the most significant demand-drivers for shredding services over the last decade.