[Med-privacy] HIPAA privacy rule enforcement
pmarshall
pwm@comcast.net
Sun, 06 Jun 2004 18:57:59 -0700
--------------090306040109000503020308
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body>
<div align="center">
<table width="90%" border="0">
<tbody>
<tr>
<td>
<div align="center"><img
src="http://www.wrf.com/img/gif/WRF_small.gif" width="212" height="111">
</div>
</td>
</tr>
</tbody>
</table>
<table width="684" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td width="676" colspan="3" bgcolor="white" valign="top">
<table width="676" cellspacing="0" cellpadding="0" border="0"
bgcolor="white">
<tbody>
<tr>
<td width="30"><img src="http://www.wrf.com/img/pixel.gif"
width="1" height="30" border="0" alt="">
</td>
<td colspan="3" width="646" valign="bottom"><br>
</td>
</tr>
<tr>
<td width="30"><img src="http://www.wrf.com/img/pixel.gif"
width="1" height="10" border="0" alt="">
</td>
<td colspan="3" width="646" valign="top"><br>
</td>
</tr>
<tr>
<td width="30"> </td>
<td width="0"><br>
</td>
<td width="611">
<table width="100%" cellspacing="0" cellpadding="0"
border="0" bgcolor="white">
<tbody>
<tr>
<td colspan="2" width="100%"><br>
</td>
</tr>
<tr>
<td colspan="2" width="100%"><br>
</td>
</tr>
<tr>
<td colspan="2" width="100%"><br>
</td>
</tr>
<tr>
<td><font face="Verdana" size="2" color="black"><i>Privacy
In Focus</i>, May 2004</font><br>
<br>
</td>
</tr>
<tr>
<td colspan="2" width="100%"><font face="Verdana"
size="2" color="black">
<div>
<p>One of the big surprises since the HIPAA Privacy Rule’s
April 14, 2003 compliance date has been the lack of visible enforcement—no
lawsuits, no civil penalties, no criminal actions and no public enforcement
of any kind. Is this about to change? </p>
<p><strong>OCR Enforcement</strong></p>
<p>Obviously, the enforcement strategy set out by the Office
of Civil Rights (OCR)—the U.S. Department of Health and Human Services (HHS)
arm tasked with HIPAA Privacy enforcement—initially focused on education,
voluntary compliance and problem solving, rather than punishment. In addition,
because the office indicated (quite publicly and consistently) that its enforcement
approach was to respond to complaints, rather than initiate proactive investigations,
some lag time between the compliance date and public enforcement was inevitable.</p>
<p>Now, in some recent public pronouncements, HHS has indicated
that there may soon be a change in enforcement strategy—or at least more
visible enforcement of the Privacy Rule. For example, in a recent presentation
before the Health Law Section of the District of Columbia Bar, OCR head Richard
Campanelli reported that a variety of the cases his office has investigated
are "in the pipeline" for either civil or criminal enforcement. </p>
<p>Among the more interesting enforcement statistics to
date:</p>
<ul>
<li>HHS has received more than 5,000 complaints under
the Privacy Rule. (Is this a large or small number? There is really no way
to tell, given the vast number of individuals who have privacy interests
under the HIPAA rules). </li>
<li>Approximately half of these complaints have been
resolved, without any formal enforcement. </li>
<li>Approximately half of the complaints, therefore,
remain unresolved. Campanelli reported that 50 complaints have been referred
to the Department of Justice (DOJ) for potential criminal investigation.
Due to the way the enforcement statute has been written, those cases being
pursued criminally cannot also be the subject of a civil monetary penalty.
</li>
</ul>
<p>Campanelli also identified the top five "topics" of
privacy complaints, as well as the top five categories of entities against
which complaints have been lodged. </p>
<p>The top five categories for complaints have been: (1)
impermissible use or disclosure of protected health information (PHI), (2)
lack of adequate safeguards to prevent such use or disclosure, (3) failure
to provide access to PHI, (4) disclosure of PHI that exceeds the "minimum
necessary" standard and (5) failure to provide notice of privacy practices.</p>
<p>The kinds of covered entities against whom complaints
have been made are: (1) private health care providers (presumably meaning
doctors), (2) general hospitals, (3) pharmacies, (4) outpatient facilities
and (5) group health plans (presumably specific to employer sponsored health
plans and not encompassing the insurers that operate their own insurance
arrangements).</p>
<p>As HHS gears up its enforcement efforts, what are the
issues for covered entities (and others) to keep in mind? </p>
<p><strong>Criminal Enforcement: How Broad Will it Be?
</strong></p>
<p>On the criminal enforcement side, the DOJ’s likely level
of interest in pursuing HIPAA privacy criminal violations is the subject
of widespread debate. While this is mainly a question of prosecutorial resources
and priorities, a parallel debate is underway within the DOJ, looking at
potential targets of a criminal enforcement proceeding. In particular, the
DOJ is assessing whether it can bring criminal charges not only against covered
entities, but also against employees of covered entities and business associates.
While "covered entities" are the only organizations against which HIPAA civil
penalties can be brought (because they are the only entities that are required
to follow the HIPAA rules), the DOJ will be examining whether it can bring
charges against individual employees who intentionally violate the privacy
rule (some of the more egregious examples of privacy violations in the last
year have involved individual "rogue" employees who disregarded privacy policies,
often for personal gain). Certain individual DOJ prosecutors also have asserted
that they can pursue criminal HIPAA violations against "business associates"
who intentionally violate the required terms of their business associate contracts.
Obviously, any criminal enforcement actions against employees or business
associates will be met with strong resistance and significant challenges.</p>
<p><strong>Transactions Enforcement Approaches</strong></p>
<p>Similarly, covered entities need to focus on the enforcement
strategy under the Standards for Electronic Transactions. HHS—through the
Centers for Medicare & Medicaid Services (CMS), the enforcement agency
for the standard transactions rule—has indicated a similar enforcement policy
for transactions violations—responding to complaints and pursuing education
and remediation rather than punishment. The standard transactions enforcement
approach is complicated by the "contingency plan" aspects of the transactions
rule, which has allowed covered entities additional time to meet the full
standards of the transactions rule, as long as the covered entity is engaged
in "good faith efforts" to meet the compliance requirements. CMS has recently
indicated that it will begin paying Medicare providers on a slower timetable
if they do not submit standard transactions. Is this the first step towards
eliminating the "contingency plan" option and moving towards more aggressive
enforcement of the transactions rule as well? And how will the fact that many
transactions complaints have involved business disputes between payers and
providers factor into the enforcement analysis? </p>
<p><strong>Where Are the Lawsuits?</strong> </p>
<p>The other big enforcement question involves civil litigation—where
are the civil claims related to the HIPAA Privacy Rule? As with the predecessor
privacy rule involving the financial services industry, the Gramm-Leach-Bliley
Act, the barrage of publicity and compliance activity related to HIPAA compliance
has not resulted in any significant number of privacy-related lawsuits focusing
on violations of the HIPAA Privacy Rule. Although the Privacy Rule itself
does not expressly provide for a private cause of action, it remains surprising
that so few suits related to the HIPAA standards have been filed. While HIPAA
has emerged as an issue in a wide range of cases where medical information
of some kind is at issue, primarily in the context of discovery disputes,
HIPAA—or violations of medical privacy rules generally—has not been the focus
of significant litigation. Will this change if government HIPAA enforcement
becomes more stringent? </p>
<p>On the whole, while covered entities that have been
acting diligently to comply with HIPAA’s requirements have had "smooth sailing,"
we can expect more aggressive enforcement of rules over the next year. Covered
entities should remain vigilant in their compliance activities, and should
be looking actively at how they can audit compliance and modify their privacy
compliance activities to meet both changes in the enforcement structure and
changes in a company’s overall health care operations.</p>
<p><br>
</p>
</div>
<br>
</font><br>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
<td width="35"> </td>
</tr>
</tbody>
</table>
<table width="70%" center="">
<tbody>
<tr valign="top">
<td><br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
<div align="center"><font size="2" face="Times New Roman, Times, serif"><b><font
size="1">©</font>2004 Wiley Rein & Fielding <font
size="1">LLP</font> </b> </font></div>
</div>
<br>
</body>
</html>
--------------090306040109000503020308--