Understanding
HIPAA Privacy Rule ENFORCEMENT
Having a strong compliance program in place may mitigate penalties for a violation.
BY JOHN E. STEINER JR., ESQ.
The HIPAA Privacy Rule has been in effect since April 2003. If your practice uses or discloses protected patient information electronically, you're subject to the Privacy Rule.
The federal government may impose civil or criminal sanctions for violations of the Privacy Rule. Penalties can be serious for "knowing" disclosures of protected health information (PHI). However, if PHI is mistakenly disclosed, covered entities are afforded some protection under the Privacy Rule.
This article highlights key principles related to the Privacy Rule sanctions and closes with practical tips and additional resources. (The article summarizes key legal points from the HIPAA statute, related regulations, and guidance from regulatory agencies. The article doesn't address whether or how a private party might seek to use any HIPAA standards in a private, civil lawsuit; although there is strong speculation that this type of action may occur.)
Enforcing the Rule
The following federal agencies are responsible for HIPAA Privacy enforcement:
► The Office for Civil Rights (OCR) enforces the Privacy Rule civil sanctions
► The Department of Justice (DOJ) enforces the Privacy Rule criminal sanctions.
Consistent with public statements to date from OCR, the federal enforcement authorities are expected to adopt a collaborative and conciliatory enforcement approach with covered entities that demonstrate "good faith" compliance efforts.
|
HIPAA Privacy Rule Training Programs |
|
Through its Pathways training program, Emron offers this Web-based education in Privacy Rule compliance: Module 1: 3.5 credits/expiration date 11/30/04 Module 2: 1.5 credits/expiration date 2/28/05 Module 3 : 2. credits/expiration date 6/30/05 (hospitals and skilled nursing facilities). There are no fees for use of the program or for CME/CPE/CE credit registration. The program satisfies HIPAA's Privacy Rule Compliance Training requirement. You can Register or view an outline of the program at www.emron.com/pathways. |
|
Violations Can Be Costly
Privacy Rule civil sanctions are fairly straightforward.
Each violation carries a $100 penalty. But the total amount that may be imposed on a person for all violations of an identical requirement or prohibition during a calendar year may be up to $25,000.
Thus, there is a potential for money penalties to add up, especially for repeated violations.
Mitigating Circumstances
HIPAA does provide opportunities to prevent, mitigate and possibly avoid penalties.
A penalty may not be imposed under the terms above if it's established to the satisfaction of the Secretary of Health and Human Services (HHS) that the person liable for the penalty didn't know, and by exercising reasonable diligence wouldn't have known, that he or she had violated a Privacy Rule provision.
Essentially, a covered entity that can satisfy the OCR that it didn't know -- and by exercising reasonable diligence would not have known -- of a violation of HIPAA, should not be assessed a civil money penalty.
Moreover, even if a covered entity did know, or by exercising reasonable diligence would have known, that it would be in violation, it may still avoid a penalty if the failure to comply wasn't through willful neglect, and if the noncompliance is corrected within 30 days.
In sum, the possibility exists that after receiving a complaint from the OCR, a practice could promptly correct the problem and avoid penalties.
And if HHS determines that a person failed to comply because the person was unable to comply, HHS may provide technical assistance during the 30-day period referenced above. Such assistance shall be provided in any manner determined appropriate by the Secretary of HHS.
Thus, reading all of the regulations together, it's possible that a violation could be corrected without any penalty being imposed by the OCR.
|
|
HIPAA Informational Web Sites |
|
www.hhs.gov/ocr/hipaa - U.S. Department of Health and Human Services, which administers the Privacy Rule www.ama-assn.org/go/hipaa - American Medical Association www.acponline.org/pmc/hipaa.htm - American College of Physicians and American Society of Internal Medicine www.state.oh.us/hipaa/234hpm.htm - Ohio State Medical Association and Ohio State Bar Association www.ccjm.org - The Cleveland Clinic Foundation, Cleveland Clinic Journal of Medicine, Volume 70, Number 3, March 2003 |
Reducing a Penalty
It's also possible to reduce a monetary penalty under the civil sanction authority.
If the failure to comply is due to reasonable cause and not to willful neglect, any penalty that's not entirely waived under the exceptions listed above may be reduced to the extent that payment of such penalty would be excessive relative to the compliance failure involved.
Imposing Criminal Sanctions
The criminal penalties under HIPAA are for what's termed "Wrongful Disclosure of Individually Identifiable Health Information." A person who knowingly and in violation of this statute uses or causes to be used a unique health identifier, obtains individually identifiable health information relating to an individual, or discloses individually identifiable health information to another person:
► Shall be fined not more than $50,000, imprisoned not more than 1 year, or both.
► If the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both.
► If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
It's too early to speculate how the DOJ will apply the "knowingly" standard and interpret what is meant by "intent" under HIPAA.
Have a Thorough Compliance Program
Practices should have thorough corporate Privacy Rule compliance programs in place. A proactive approach toward HIPAA privacy can help your practice avoid problems. The following policies can easily be adopted:
Develop a Notice of Privacy Practice (NPP) that's delivered to all patients at their first encounter, and clearly posted in your office. This describes how the patient's medical information may be used and disclosed. It states the patient's legal rights regarding protected health information. Review and revise your NPP as necessary.
Delegate the position and duties of privacy officer to a staffer. This person should assume the responsibilities of keeping current on HIPAA trends, educating other staffers and implementing Privacy Rule changes.
Use reasonable safeguards to keep PHI out of the sight of those not authorized to view it. Only share PHI with other covered entities for purposes of treatment, payment and healthcare operations.
Develop written policies. These should address the handling of confidential information and complaints.
Monitor patient information that's electronically transferred. Monitoring will test whether your compliance policies are being followed.
Implementing these basic policies should serve as a strong foundation for Privacy Rule compliance and stand you in good stead with the authorities if an isolated incident of noncompliance does occur.
John E. Steiner, Jr., Esq., is Chief Compliance Officer & Privacy Official for the Cleveland Clinic Health System.
|
Privacy Rule Q and A |
Q. Which family members or friends can I talk to about the care of a patient? A. The HIPAA Privacy Rule permits communication with "family or friends" who are involved in the patient's care or payment for that care, so long as the patient has had the opportunity to object to that person and has not done so. If the patient is unable or unavailable to object, you'll need to use your professional judgment to determine if discussing the patient with the person is in the patient's best interest. In addition, communication involving the patient's health information should be in lower voices with whatever safeguards are available at that time to reduce the possible disclosure of the patient's PHI. Q. May I give another physician protected patient information over the phone? A. Physicians are entitled to any patient information they need without authorization if they're involved in the care of the patient. If you know the physician and recognize him/her over the phone, you can provide him/her with the requested information. You should also verify that the physician is involved with the care of that patient by ensuring that the doctor is on record as the attending, consulting or admitting physician. If you are unfamiliar with the identity of this physician, ask for a phone number so that you can call back with the information. Q. A patient's insurance company wants to discuss financial, medical or diagnosis information. What can I provide? A. An insured person usually signs an "authorization" form that's required by the insurance company. This permits the insurance company to share and/or request information about the insured from others such as employers and healthcare providers. HIPAA privacy rules require a signed authorization form from the insured (your patient) to release or discuss the patient's PHI. However, the privacy rule permits the work force of a covered entity to disclose a "minimum necessary" amount of PHI for "treatment, payment or health care operations." Therefore, you can provide the insurance company with the diagnosis code until a signed form is received. Q. The parent of one of my regular patients calls to discuss his child's medical condition. The patient has just celebrated her 18th birthday. What am I allowed to discuss with the parent? A. At 18, the patient is recognized as a legal adult with individual privacy rights. You can't discuss the patient's PHI with the parent without permission from the patient. This can present a problem if the parent is responsible for the payment of the patient's services. In that case, disclosure of "minimum necessary" PHI is permitted. |
![]({"src":"/media/wvhpynuk/image-not-available.png","focalPoint":null,"crops":[{"alias":"thumbnail","width":1110,"height":700,"coordinates":null}]})