[Med-privacy] "Enforcement of HIPAA Privacy: Making it Real"
pmarshall
pwm@comcast.net
Mon, 24 Nov 2003 12:05:57 -0800
Enforcement of HIPAA Privacy: Making it Real
by Janlori Goldman, Katharina Kopp and Elizabeth Ida Tossell
November 19, 2003
It has been seven months since health care
providers, plans and others were required to
put the HIPAA privacy rule in place, and yet
a significant number (24%) report they are
not in full compliance with the law,
according to the latest survey by Phoenix Health
Systems. Further, more than 2,000 complaints
have been filed with HHS=92 Office for Civil
Rights, the agency charged with enforcing the
HIPAA privacy rule. Even though some
cases have been referred to the Department of
Justice for criminal violations, OCR has
yet to impose even a $100 fine. The
administration=92s enforcement philosophy is one that
favors =93voluntary compliance,=94 and the pub=
lic
knows nothing about the complaints referred
to the Justice Department for possible
criminal violations. At this juncture, it is
critical for the administration to make clear that covered entities
must comply with the law and implement
the rule fully, or face serious consequences. Also, HHS must continue
to aggressively issue guidance on the
rule to ensure that misinterpretation and confusion do not block
access to high quality health care.
Current Enforcement Procedures for the HIPAA Privacy Rule
Under the privacy regulation, anyone who believes that a health care
provider, health care clearinghouse or
health plan has violated HIPAA may file a complaint with OCR. The
person who files the complaint does not
have to be personally affected by a violation and a =93person=94 is
defined broadly to include any type of
association, group or organization. The OCR will investigate the
allegation, provide technical assistance,
and try to =93seek voluntary compliance from covered entities because
it is often the quickest and most
efficient means of ensuring that individuals benefit from the
protections in the Rule,=94 said Richard
Campanelli, director of OCR, in recent testimony before the Senate
Special Committee on Aging.
However, the rule empowers OCR to impose civil penalties of up to
$25,000 per year for each standard
violated, and the Department of Justice may impose criminal penalties
of up to $250,000 and 10 years in
prison for particularly egregious violations. Criminal penalties can
be imposed if the violation involves the
deliberate intent to sell, transfer, or use individually identifiable
health information for commercial
advantage, personal gain or malicious harm.
Policies Undermine Consumers=92 Privacy Rights
HHS officials have repeatedly stated that =93voluntary compliance=94 w=
ith
the law is ideal, signaling to many in
the health care industry that HHS does not intend to vigorously
enforce the law. Given that HIPAA does
not give people the right to sue and that HHS=92 enforcement philosoph=
y
is complaint driven, individuals must
rely on the Bush administration=92s Office for Civil Rights to
represent their interests.
In May 2003, HHS issued an interim final rule on civil monetary
penalties, outlining procedures that HHS
will follow in imposing civil monetary penalties for HIPAA
violations. In response, the Health Privacy
Project submitted comments urging HHS to strengthen the enforcement
rule to more appropriately reflect
the critical role that privacy plays in the delivery of health care.
By relying on the public to file
complaints, as opposed to aggressively monitoring compliance with the
rule, HHS depends on consumers to
be knowledgeable about what constitutes a violation of the rule and
about the process for reporting such
violations. This places an unfair and unrealistic burden on health
care consumers, and virtually ensures
that compliance with the law will be lax and spotty.
Complaints and Current Enforcement Actions
According to OCR testimony to the National Committee on Vital and
Health Statistics on Sept. 23, 2003,
about 2000 complaints have been filed, of which roughly one third
have been resolved and closed. The
complaints broke down as follows, alleging:
inappropriate uses or disclosures (350);
inadequate safeguards (280);
inability to exercise rights of access (170);
absence of or ineffective notice (50);
incidental disclosures (i.e. oral communications)(50); and
inappropriate authorizations.
Similarly, the majority of complaints the Health Privacy Project has
received as part of its privacy rule
complaint monitoring initiative have alleged unauthorized disclosures
or poor security procedures.
At the September NCVHS hearing, OCR also acknowledged that it has yet
to impose any penalties. OCR=92s
Director Richard Campanelli did say that a number of cases had been
referred to the Department of
Justice for potential criminal violations. OCR has not provided any
information as to the nature of the
DOJ cases.
However, some details of the alleged violations have surfaced from
other sources, both in the media and
through information the Health Privacy Project received. For
instance, on April 14, 2003, Ron Panzer, the
president of Hospice Patients Alliance, filed a complaint alleging
that the medical records of patients
treated at Hospice of the Florida Suncoast were publicly distributed
in software marketed by the hospice=92s
for-profit subsidiary, Hospice Systems, Inc. (St. Petersburg Times,
May 2, 2003). According to Panzer, the
software is currently used by more than 100 hospices, and as of Nov.
11, 2003, OCR had not contacted him
to follow up on his complaint, nor is he aware that any action has
been taken against the company.
Complaints Do Not Address Back-End Operations
While the importance of some of the complaints and the potential
impact on people should not be
underestimated, it appears that the majority of complaints do not
deal with the more invisible operations
of the health care system, where protected health information gets
moved around from one organization to
another and is shared with business associates and other
organizations. This is not surprising, since
consumers are most likely to only be aware of the most obvious
violations that they personally experience.
Therefore, by relying solely on the consumer to be cognizant of HIPAA
privacy violations, the OCR is
seriously abdicating its responsibility to fully enforce HIPAA
privacy.
Compliance with the Privacy Rule
According to the latest survey conducted by Phoenix Health Systems in
October, 24% of health care
providers are not fully compliant with the privacy rule, six months
after the deadline. Among those
providers that claimed to be privacy compliant, almost 40% had not
completed all necessary business
associate agreements. Approximately 50% reported that their
organizations had experienced one or more
privacy breaches in the past six months.
This self-reported data, which is likely to overstate the level of
compliance and understate privacy
breaches, suggests that substantial oversight remains necessary to
ensure that all covered entities adhere
to the privacy rule. Moreover, the lack of compliance with regard to
completed business associate
agreements suggests that in those health care back-end operations
where patients have the least
information and understanding of their privacy rights, covered
entities are least compliant and violations
are most likely to take place undetected. Particularly in the areas
that are not easily transparent to the
average consumer, OCR should not solely rely on complaints from the
public for compliance and enforcement
purposes.
HIPAA Enforcement Must Be Strengthened
The privacy rule is only as effective as its enforcement. By
abdicating its responsibility to monitor
compliance and placing the onus of reporting violations on health
care consumers, OCR is undermining the
HIPAA privacy rule and patients=92 privacy rights. As the Health
Privacy Project pointed out in its comments
on the interim final rule on civil monetary penalties, the HHS
Secretary has a duty to enforce the law.
HIPAA also empowers the HHS secretary to conduct compliance reviews
of covered entities. The
enforcement policy promulgated in HIPAA=92s interim final rule,
however, does not provide for any active and
routine monitoring of covered entities to ensure compliance. Without
such action, only those health care
consumers knowledgeable and savvy enough to complain to OCR will have
their rights upheld.
The interim final rule also states that HHS will first try to resolve
potential violations by =91informal
means.=92 While such an approach is a reasonable response to minor and=
unintended violations of the rule that
occur within the first six to 12 months the rule is in effect, it is
wholly inappropriate for more serious
violations or for covered entities that demonstrate repeated
resistance to compliance.
OCR=92s reluctance to disclose details on the complaints it has
referred to the Department of Justice is
disconcerting. OCR should make a regular accounting of the number of
complaints it has received, their
nature and how they have been resolved. Furthermore, OCR should
launch a more ambitious campaign ? and
account for its effort annually ? in educating the public about its
rights under HIPAA. OCR can go a long
way toward educating both consumers and covered entities that the
privacy rule is not just another
bureaucratic hurdle to be overcome. The government has a duty to get
out the message that the law is
intended to safeguard sensitive information within the health care
system and encourage greater trust
between providers and their patients.
The comments by the Health Privacy Project also pointed to the
absence of any role in the enforcement
process for the individual whose privacy may have been violated.
Although individuals are responsible for
bringing violations to OCR=92s attention, they have no role in the
enforcement process and can=92t be
compensated if they are harmed. Any penalties are paid to the
government, not to the individual. Individuals
are allowed to participate in enforcement proceedings only if called
as a witness by the HHS secretary or
the covered entity against which the complaint was filed. HHS is not
required to inform the individual of
the date of the hearing or provide any opportunity to submit
testimony. The interim final rule should be
modified to include testimony or a written statement from the
individual whose privacy was violated and to
require a notice to the individual of the date, time and place of the
hearing.
Enforcing the Privacy Rule
To protect patient privacy, HHS should:
Conduct periodic compliance reviews of covered entities;
Step up its public education regarding individual rights
under the privacy rule;
Provide a detailed report annually to Congress of all
complaints filed, how they have been resolved,
as well as account for the agency=92s enforcement activities=
that are not =91complaint driven;=92
Allow individuals to participate in hearings regarding
their complaints; and
Amend the privacy rule to allow people the right to sue in
federal court for alleged violations.
Congress and the executive branch should monitor state
lawsuits brought by people who believe the
privacy rule was violated.
About the authors:
Janlori Goldman is director of the Health Privacy Project. The Health
Privacy Project is dedicated to
raising public awareness of the importance of ensuring health privacy
in order to improve health care
access and quality, both on an individual and a community level. Ms.
Goldman can be reached by e-mail at
jgoldman@healthprivacy.org.
Katharina Kopp is the Program manager for the Health Privacy Project.
In this capacity, Dr. Kopp manages
the Project's Consumer Coalition for Health Privacy and engages in
research, policy analysis and public
education on a variety of issues, including the HIPAA privacy
regulation, genetics and privacy and
bioterrorism and public health.
Elizabeth Ida Tossell, the Health Privacy Project=92s research
assistant, contributed to this piece. Ms.
Tossell is a graduate of Yale University, and is sharing with HPP her
research and writing skills ? as well
as her passion for improving the world ? until she goes to law school
next year.
The views expressed in this column are those of the authors and do
not represent the views of the California HealthCare Foundation or
the Advisory Board Company.
iHealthBeat is published daily for California
HealthCare Foundation by The Advisory Board Company.
=A9 2001 The Advisory Boar=
d
Company.