Although health data breaches are becoming more common, only 22 healthcare organizations or systems have been fined since 2009 by the Office of Civil Rights.
The OCR has repeatedly said it is cracking down on healthcare organizations that do not adequately protect patient information, but has infrequently levied fines after inquiries, according to an investigation by NPR and ProPublica. The HHS' inspector general has been openly critical of the way the OCR uses its authority, faulting the agency for not performing audits as it is supposed to, according to NPR.
An initial set of audits in 2011 and 2012 found that 102 or 115 organizations surveyed had at least some security issues, either with inadequate security measures or failing to follow rules to protect patient privacy. Some experts have said the OCR is understaffed and cannot handle the workload — it has fewer than 200 employees and a $39 million budget, according to the report.
However, having the OCR become too harsh is not a positive measure either — the agency is trying to strike a balance of working with organizations to improve their security inadequacies and fining exceptionally outlying cases.
"What you don't want [the Office of Civil Rights] to become is somebody like your parking enforcement where they're funding themselves by issuing tickets or fines to everybody who has the smallest infractions," Joy Pritts, the former chief privacy officer for the ONC, told NPR.