[Med-privacy] HIPAA Privacy Enforcement

pmarshall pwm@comcast.net
Tue, 22 Jul 2003 18:33:10 -0700 

=======================================================================
                           E P I C  A l e r t
=======================================================================
Volume 10.15                                              July 22, 2003
-----------------------------------------------------------------------

                            Published by the
              Electronic Privacy Information Center (EPIC)
                            Washington, D.C.

            http://www.epic.org/alert/EPIC_Alert_10.15.html



First HIPAA Privacy Enforcement Details Reported
======================================================================

Three months after the Health Insurance Portability and Accountability
Act (HIPAA) Privacy Rule became effective, the first updates on
enforcement activities reflect the law's early implementation
difficulties.

On June 24, the Office for Civil Rights (OCR), which is responsible
for the enforcement of the Privacy Rule within the Department of
Health and Human Services, provided an update to the National
Committee on Vital and Health Statistics (NCVHS), a public advisory
body to the Secretary of Health and Human Services.  Stephanie
Kaminsky of OCR testified that the office received 637 complaints
prior to the hearing date.  Of those, OCR had closed 124 cases and 513
remained open.  A total of 260 cases were accepted for investigation
after OCR determined that the complaint dealt with an issue, time
frame and entity over which OCR has proper jurisdiction.  No cases
have been referred to the Justice Department for criminal prosecution.
Complaints to the OCR have raised such issues as the inability of
individuals to access their information, inadequate safeguards for
health information, deficient provision of Notice of Privacy
Practices, and insufficient minimum necessary procedures to limit
disclosure in provider offices and facilities.

OCR has repeatedly stated that its enforcement goals are to promote
voluntary compliance within the health care sector and to handle most
complaints by providing technical assistance to the entity involved.
Despite assurances that such assistance will be the primary means of
enforcement, many health care organizations have become wary about
disclosing information when civil and criminal penalties might follow.
In an early July congressional briefing sponsored by the Healthcare
Leadership Council, some organizations stated that they are delaying
the use of e-mail and other communication technologies for
transmitting information to patients.  The delays are apparently
caused by the need to have appropriate verification procedures and
encryption in place to ensure that the information does not go astray.

Privacy Rule compliance and enforcement will remain prominent issues
over the next year as OCR refines the substantive portion of the
Enforcement Rule.  The interim procedural Rule is set to expire in
September 2004.

Office for Civil Rights in the Department of Health and Human
Services:

     http://www.hhs.gov/ocr/hipaa

National Committee on Vital and Health Statistics:

     http://ncvhs.hhs.gov

For more information, see EPIC's Medical Privacy Page at:

     http://www.epic.org/privacy/medical