How has the HIPAA Privacy Rule been enforced so far?
Since the establishment of the Privacy Rule in 2003, OCR has received
almost 45,000 complaints. It has completed full investigations in about 13,000 of
those cases, finding violations in almost 9,000 of them. Of the 32,000 cases where
investigations have not been completed, about 25,000 of them were closed as
being ineligible for enforcement because the complaint was not timely or did not
describe any potential violation.
Link:
http://wnylc.com/health/afile/118/105/ It's NY, but I imagine other states are basically the same.
I find this troubling, though I couldn't find what a not "covered entity" was. Maybe it amounts to nothing. Link:
http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_for_law_enforcement_purposes/506.html
State public records laws, also known as open records or freedom of information laws, all provide for certain public access to government records. How does the HIPAA Privacy Rule relate to these state laws?
Answer:
If a state agency is not a “covered entity”, as that term is defined at 45 CFR 160.103, it is not required to comply with the HIPAA Privacy Rule and, thus, any disclosure of information by the state agency pursuant to its state public records law would not be subject to the Privacy Rule.