Home Health & Hospice Week

Health systems struggle to comply, survey suggests.

Once your HIPAA privacy program's in place, you may be tempted to believe that the hard work's over. But sitting back on your laurels could be a costly venture--to the tune of thousands of dollars in penalties--if you aren't staying vigilant. 

Caution: The drop in the number of health care providers reporting themselves to be fully or mostly compliant with HIPAA should serve as a warning that compliance should not be taken for granted, Theresa Reynolds of the American Health Information Management Association tells Eli.

The percentage of health care privacy officers and others whose jobs relate to HIPAA privacy who believe their institution is more than 85 percent compliant dropped to 85 percent in 2006, down from 91 percent in 2005. As a result, the percent that believe they are less than 85 percent compliant increased from 9 percent in 2005 to 15 percent in 2006.

The news of the drop in compliance came on the heels of the final HIPAA enforcement rule, which was published early this year. Through the rule, the U.S. Department of Health and Human Services spells out policies for imposing civil money penalties for violations of the HIPAA Privacy and Security Rules.

What to do: Providers should evaluate their compliance with the new regulatory requirements on an ongoing basis, advises Martie Ross, an attorney with Foulston Siefkin in Wichita, KS. Allocate Resources Wisely Most respondents on the AHIMA survey--55 percent--cited a lack of sufficient resources as the most significant barrier to full privacy compliance. Respondents report sensing a loss of support from senior management, both in ensuring staff are aware of the need for privacy as well as ensuring sufficient budgeting for continued education and training.

Money spent on compliance should pay off quickly, Ross says.

The U.S. Office of Civil Rights, charged with enforcing the privacy rule, can levy penalties of $100 for each violation, up to a maximum of $25,000 for identical violations in the same calendar year.

Double whammy: In addition to the possibility of civil money penalties and criminal charges, HIPAA violations may form the basis for private causes of action against covered entities, Ross advises.

When asked about patient privacy concerns, 30 percent of the AHIMA survey respondents said they encountered more questions from consumers this year over last. In addition, 22 percent reported an increase in the number of patients who refused to sign release of information forms.

Lesson learned: Home health agencies need to play a role in educating consumers regarding the protection of their personal health information.