Health Information Compliance Alert

Published on Fri May 12, 2006 PDF

Health systems struggle to comply, survey suggests.

Once your HIPAA privacy program's in place, you may be tempted to believe that the hard work's over. But sitting back on your laurels could be a costly venture--to the tune of thousands of dollars in penalties--if you aren't staying vigilant. 

Caution: The drop in the number of facilities reporting themselves to be fully or mostly compliant with HIPAA should serve as a warning that compliance should not be taken for granted, Theresa Reynolds of the American Health Information Management Association tells Eli.

The percentage of healthcare privacy officers and others whose jobs relate to HIPAA privacy who believe their institution is more than 85 percent compliant dropped to 85 percent in 2006, down from 91 percent in 2005. As a result, the percent that believe they are less than 85 percent compliant increased from 9 percent in 2005 to 15 percent in 2006.

The news of the drop in compliance comes on the heels of the final HIPAA enforcement rule, which was published Feb. 16. Through the rule, the U.S. Department of Health and Human Services spells out policies for imposing civil money penalties for violations of the HIPAA Privacy and Security Rules.

Providers should evaluate their compliance with the new regulatory requirements on an ongoing basis, advises Martie Ross, an attorney with Foulston Siefkin LLC in Wichita, KS.

Allocate Resources Wisely

Most respondents on the AHIMA survey--55 percent--cited a lack of sufficient resources as the most significant barrier to full privacy compliance. Respondents report sensing a loss of support from senior management, both in ensuring facility staff is aware of the need for privacy as well as ensuring sufficient budgeting for continued education and training.

Money spent on compliance should pay off quickly, Ross says.

The U.S. Office of Civil Rights, charged with enforcing the privacy rule, can levy penalties of $100 for each violation, up to a maximum of $25,000 for identical violations in the same calendar year.

Double whammy: In addition to the possibility of civil money penalties and criminal charges, HIPAA violations may form the basis for private causes of action against covered entities, Ross advises.

When asked about patient privacy concerns, 30 percent of the AHIMA survey respondents said they encountered more questions from consumers this year over last. In addition, 22 percent reported an increase in the number of patients who refused to sign release of information forms.

Lesson learned: Providers need to play a role in educating consumers regarding the protection of their personal health information.

Editor's Note: For a copy of the report, "State of HIPAA Privacy and Security Compliance 2006," visit AHIMA's Web site at http://www.ahima.org/emerging_issues/2006StateofHIPAACompliance.pdf.