Health Information Compliance Alert

Published on Tue Jan 26, 2010 PDF

The Health Insurance Portability and Accountability Act (HIPAA) -- as was expected -- got a big boost from the 2009 Health Information Technology for Economic and Clinical Health (HITECH) act, because it extended privacy rules to business partners, had provisions for steeper penalties in case of violations, and promised periodic audits. But these beefed-up rules haven't quite had the desired effect. Industry observers say HIPAA hasn't quite climbed up anyone's priority list. Read on to find out why.

One reason HIPAA elicits the big yawn despite the fact that the HITECH Act claims to be very serious about privacy violations is that the present administration hasn't been very serious with its follow-through, according to Gienna Shaw, senior technology editor with HealthLeaders. In fact, the Office of Civil Rights (OCR) hadn't decided at press time when it will conduct the periodic audits, for example, or even how it will pay for them. Sue McAndrew, deputy director for Health Information Privacy for the OCR, said at the 18th Annual National HIPAA Summit last week that OCR is working with a HIPAA privacy and security expert to help the organization "map out essentially the range of options that we have and what would be the most effective." There are, "1,000 ways to do this," Shaw further said on a recent post on www.healthleadersmedia.com.

Another factor: According to Shaw, the loophole in HHS' interim final rule on breach notification is the agency's "harm threshold" standard. This standard says that the unauthorized use or disclosure of personal health information (PHI) can be legally termed a breach only if it causes some harm to the individual whose information it is. So, covered entities and their associates will now actually have to perform a risk assessment to determine what kind of harm the breach caused. Congressmen are "deeply concerned" about this "harm threshold" standard because it gives covered entities and business associates a "breadth of discretion" as they investigate. Providers love it because the judgment whether harm has been caused is now open -- up to a point -- to being tweaked by various human factors, such as individual perspective of the investigator. There are also statistics that show that Healthcare organizations are not doing what they should to comply. In January 2010 alone, there were 35 reports of breaches affecting more than 500 individuals, resulting in 712,000 notices, according to McAndrew. Most of the reports were about PHI contained in lost or stolen unencrypted media or portable devices, Shaw points out in her post. A business associate can be held directly liable for a breach of unsecured PHI and responsible for those hefty new fines, said McAndrew. But on the other hand, she also said that OCR would consider decreasing or even waiving some of the penalties depending on the financial state of the violating hospital. The "settlement door is always open," she added.

(Editor's note: To read more, go to: www.healthleadersmedia.com/page-2/TEC-246265/Does-Anybody-Care-About-HIPAA-Anymore.)