Health Information Compliance Alert

Published on Tue Sep 30, 2003 PDF

OCR claims many complaints simply 'misunderstandings'

The recent spate of complaints levied against covered entities over the past few months doesn't seem to trouble the HHS Office for Civil Rights. In fact, the enforcement agency views a great number of these complaints as simple "misunderstandings."
 
Hundreds of ears pricked up early in the morning of Sept. 17 as Susan McAndrew, senior advisor for HIPAA privacy policy at OCR, delivered an update on privacy rule enforcement at the 7th National HIPAA Summit in Baltimore. Here are a few of OCR's most recently released statistics:
 
Total number of complaints has risen to more than 1,800 (up from 637 as of June 24);

OCR's 10 regional offices receive roughly 75 complaints each week;

Most complaints have been filed by individual patients against provider groups;

During the first five months that the privacy rule has been in effect, no civil money penalties have been issued; and 

30 percent of complaints have been dismissed due to jurisdictional reasons (some complaints were submitted prior to April 14, some didn't involve covered entities or the privacy rule, et cetera).
 

Regarding the potential for OCR to impose civil monetary penalties, McAndrew said OCR "doesn't expect to impose CMPs as a routine matter." To clarify that statement, only when a covered entity is "recalcitrant" or unwilling to cooperate with OCR to resolve the complaint will a CMP be imposed, she noted, adding that, for the most part, OCR has found that "providers are very willing to cooperate" with the agency.
 
As for potential violations, there have been few, said McAndrew, and OCR has referred such matters to the Department of Justice for further investigation.
 
McAndrew indicated that privacy rule complaints were viewed by OCR as one way of discovering where the common misconceptions are concerning the privacy rule, and said complaints permit the agency to clear up those misconceptions. For example, she noted that many of the complaints submitted for what an individual considered to be a violation have wound up in OCR's "Frequently Asked Questions" section of its Web site (to read the FAQs, go to www.hhs.gov/ocr/ and click on "View Health Information Privacy Frequently Asked Questions (FAQs)" on the upper left side of the page).
 
Providers concerned that OCR may make an unscheduled, on-site visit can stop fretting - at least for now. McAndrew said there have been no on-site visits to date, but indicated that "as complaints get more complicated," you can expect to see some direct visitation.
 
Following her presentation, McAndrew told Eli that investigators from each of the 10 regional offices for OCR work both with the individuals who initially submitted the complaint and the privacy officer of the covered entity involved in the alleged violation. She added that there likely would be 40 full-time investigators employed at the regional offices by the end of the year, and noted that each investigator would under a one-day training overview that was followed by a two-day intensive training course on investigative techniques.
 
And while she expressed optimism over the fairly benign nature of most complaints to date, McAndrew did add a gentle admonition to CEs: "If your phone rings, be prepared to answer [the OCR]."