Health Information Compliance Alert
OCR Spills Beans On State Of Enforcement
PDF
Covered entities everywhere have been waiting with bated breath for news on how the HHS Office for Civil Rights plans to enforce HIPAA's privacy rule. Well ... the wait is over, and policy has become practice. OCR noted that since the interim final rule's approach depends on consumers to be knowledgeable about their rights and the complaint process, it represents "an abrogation of the Secretary's duty under the statute to enforce the law and is an ineffective tool for ensuring that entities covered by the rules are adequately protecting the confidentiality of sensitive medical information."
Even though privacy rule enforcement is still in the early stages, the OCR's regional offices have been inundated with complaints of perceived violations.
The OCR received 637 complaints between the April 14 privacy zero hour and June 24, the agency's Stephanie Kaminsky reported to the National Committee on Vital and Health Statistics.
The agency closed 124 of those cases - often because they involved: complaints that didn't state an actual violation, events that preceded April 14, activities that aren't prohibited by HIPAA, or organizations that aren't covered by the privacy rule. 513 cases are open, and OCR has accepted 260 for investigation.
Kaminsky said most of the complaints OCR has received originate from individuals claiming they were denied access to their medical records or from patients who allege insufficient safeguards or inadequate minimum necessary procedures, especially within providers' reception offices or treatment areas. Many complaints also involve notices of privacy practices - either individuals alleging they did not receive their NPP or those who claim it was never posted. The absences of NPPs was a particular problem for direct treatment providers, Kaminsky tells Eli.
Of significant interest was a brief mention of complaints emanating from within organizations: "We have seen insiders in organizations alleging that their offices were not in compliance. So, I don't know if I would call them full fledged whistleblowers, but certainly something along those lines."
Enforcement Too Lenient?
While many CEs appear to be content with OCR's enforcement policy, at least one health privacy group expressed deep concerns over the way in which OCR was handling complaints.
In a June 16 letter addressed to Centers for Medicare & Medicaid Services Administrator Tom Scully, the Washington-based Health Privacy Project criticized the OCR's complaint-driven policy.
The HPP's program manager, Dr. Katharina Kopp, said she was concerned that the OCR was focusing too heavily on CEs and not on consumers, and that there was no real effort on the part of the OCR to reach out to the average patient to explain his rights or how the complaint process works.
Kopp would like to see a proper annual accounting of complaints submitted to the OCR, and says those complaints should be filed with the HHS Secretary to document how they had been resolved. She tells Eli that while HPP has no qualms with the OCR working together with CEs to mitigate compliance snafus, she nevertheless believes entities can't be spoon-fed compliance forever: "Obviously there's a point when it needs to be clear that there are consequences for not complying with the rule." She worries that with the current enforcement policy, "people can't file complaints when they don't know what their rights are ... and many might not be aware that their rights have been violated."
But for now, Kaminsky's remarks revealed that OCR's current goal is to work with providers to help them get compliant - not to wield its punitive authority with a heavy hand. "We are expecting and working toward a situation where a lot of the complaints that we receive might be able to be handled with technical assistance, with helping covered entities understand what exactly they need to be doing, and giving them the appropriate information so that they can voluntarily comply," she said.
Tip: If you have a question about HIPAA compliance or potential violations, call the OCR's toll-free HIPAA Hotline number at 1-866-627-7748.
Editor's Note: To see a transcript of Kaminsky's comments, go to http://ncvhs.hhs.gov/030624tr.htm.
Health Information Compliance Alert
- Security:
Tales From Encryption: Don't Turn E-mail Security Into A Horror Story
New Solutions To Secure E-mail Transmissions
If you haven't evaluated both data in transfer and data [...] - Not Sure Whether Encryption's For You? 4 Examples Will Help You Decide
Using the five variables enumerated by Jim Sheldon-Dean (see article "Tales From Encryption: Don't Turn [...] - Sample Document:
Authorization For E-Mail Correspondence - Conferences:
Conference Calendar Corner
The HIPAA conference beat goes on in August as entities scramble to ensure testing solutions [...] - The Third degree:
Reader Questions Answered
There was a wide range of reader questions this month, so we tried to single [...] - Don't Let Lost Diskettes Cause Deep Regrets:
6 Quick Tips To Keep 'Removable Media' In Check
You have your protected health information, but can you take it with you? Yes, you [...] - With HIPAA Complaints, Tight Lips Sink Ships:
Not Knowing What To Say Can Bring Violations Your Way
There's no room to be tight-lipped when it comes to responding to patients' HIPAA queries, [...] - Privacy Rule Enforcement Taking Shape - Some Fear Outcome:
OCR Spills Beans On State Of Enforcement
Covered entities everywhere have been waiting with bated breath for news on how the HHS [...] - HHS, CAP WORK TO STANDARDIZE
Standardization is the name of the game for the Department of Health and Human Services, [...]