LAW OFFICE OF BRIAN GARVES

by Janlori Goldman, Kathanna Kopp and Elizabeth Ida Tossell

November 19, 2003

©2003 The Advisory Board Company and the authors.

It has been seven months since health care providers, plans and others were required to put the HIPAA privacy rule in place, and yet a significant number (24%) report they are not in full compliance with the law, according to the latest survey by Phoenix Health Systems. Further, more than 2,000 complaints have been filed with HHS' Office for Civil Rights, the agency charged with enforcing the HIPAA privacy rule. Even though some cases have been referred to the Department of Justice for criminal violations, OCR has yet to impose even a $100 fine. The administration's enforcement philosophy is one that favors "voluntary compliance," and the public knows nothing about the complaints referred to the Justice Department for possible criminal violations. At this juncture, it is critical for the administration to make clear that covered entities must comply with the law and implement the rule fully, or face serious consequences. Also, HHS must continue to aggressively issue guidance on the rule to ensure that misinterpretation and confusion do not block access to high quality health care.

Under the privacy regulation, anyone who believes that a health care provider, health care clearinghouse or health plan has violated HIPAA may file a complaint with OCR. The person who files the complaint does not have to be personally affected by a violation and a "person" is defined broadly to include any type of association, group or organization. The OCR will investigate the allegation, provide technical assistance, and try to "seek voluntary compliance from covered entities because it is often the quickest and most efficient means of ensuring that individuals benefit from the protections in the Rule," said Richard Campanelli, director of OCR, in recent testimony before the Senate Special Committee on Aging.

However, the rule empowers OCR to impose civil penalties of up to $25,000 per year for each standard violated, and the Department of Justice may impose criminal penalties of up to $250,000 and 10 years in prison for particularly egregious violations. Criminal penalties can be imposed if the violation involves the deliberate intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm.

HHS officials have repeatedly stated that "voluntary compliance" with the law is ideal, signaling to many in the health care industry that HHS does not intend to vigorously enforce the law. Given that HIPAA does not give people the right to sue and that HHS' enforcement philosophy is complaint driven, individuals must rely on the Bush administration's Office for Civil Rights to represent their interests.

In May 2003, HHS issued an interim final rule on civil monetary penalties, outlining procedures that HHS will follow in imposing civil monetary penalties for HIPAA violations. In response, the Health Privacy Project submitted comments urging HHS to strengthen the enforcement rule to more appropriately reflect the critical role that privacy plays in the delivery of health care. By relying on the public to file complaints, as opposed to aggressively monitoring compliance with the rule, HHS depends on consumers to be knowledgeable about what constitutes a violation of the rule and about the process for reporting such violations. This places an unfair and unrealistic burden on health care consumers, and virtually ensures that compliance with the law will be lax and spotty.

According to OCR testimony to the National Committee on Vital and Health Statistics on Sept. 23, 2003, about 2000 complaints have been filed, of which roughly one third have been resolved and closed. The complaints broke down as follows, alleging:

• inappropriate uses or disclosures (350);

• inadequate safeguards (280);

• inability to exercise rights of access (170);

• absence of or ineffective notice (50);

• incidental disclosures (i.e. oral communications)(50); and

• inappropriate authorizations.

Similarly, the majority of complaints the Health Privacy Project has received as part of its privacy rule complaint monitoring initiative have alleged unauthorized disclosures or poor security procedures.

At the September NCVHS hearing, OCR also acknowledged that it has yet to impose any penalties. OCR's Director Richard Campanelli did say that a number of cases had been referred to the Department of Justice for potential criminal violations. OCR has not provided any information as to the nature of the DOJ cases.

However, some details of the alleged violations have surfaced from other sources, both in the media and through information the Health Privacy Project received. For instance, on April 14, 2003, Ron Panzer, the president of Hospice Patients Alliance, filed a complaint alleging that the medical records of patients treated at Hospice of the Florida Suncoast were publicly distributed in software marketed by the hospice's for-profit subsidiary, Hospice Systems, Inc. (St. Petersburg Times, May 2, 2003). According to Panzer, the software is currently used by more than 100 hospices, and as of Nov. 11, 2003, OCR had not contacted him to follow up on his complaint, nor is he aware that any action has been taken against the company.

While the importance of some of the complaints and the potential impact on people should not be underestimated, it appears that the majority of complaints do not deal with the more invisible operations of the health care system, where protected health information gets moved around from one organization to another and is shared with business associates and other organizations. This is not surprising, since consumers are most likely to only be aware of the most obvious violations that they personally experience. Therefore, by relying solely on the consumer to be cognizant of HIPAA privacy violations, the OCR is seriously abdicating its responsibility to fully enforce HIPAA privacy.

According to the latest survey conducted by Phoenix Health Systems in October, 24% of health care providers are not fully compliant with the privacy rule, six months after the deadline. Among those providers that claimed to be privacy compliant, almost 40% had not completed all necessary business associate agreements. Approximately 50% reported that their organizations had experienced one or more privacy breaches in the past six months.

This self-reported data, which is likely to overstate the level of compliance and understate privacy breaches, suggests that substantial oversight remains necessary to ensure that all covered entities adhere to the privacy rule. Moreover, the lack of compliance with regard to completed business associate agreements suggests that in those health care back-end operations where patients have the least information and understanding of their privacy rights, covered entities are least compliant and violations are most likely to take place undetected. Particularly in the areas that are not easily transparent to the average consumer, OCR should not solely rely on complaints from the public for compliance and enforcement purposes.

The privacy rule is only as effective as its enforcement. By abdicating its responsibility to monitor compliance and placing the onus of reporting violations on health care consumers, OCR is undermining the HIPAA privacy rule and patients' privacy rights. As the Health Privacy Project pointed out in its comments on the interim final rule on civil monetary penalties, the HHS Secretary has a duty to enforce the law. HIPAA also empowers the HHS secretary to conduct compliance reviews of covered entities. The enforcement policy promulgated in HIPAA's interim final rule, however, does not provide for any active and routine monitoring of covered entities to ensure compliance. Without such action, only those health care consumers knowledgeable and savvy enough to complain to OCR will have their rights upheld.

The interim final rule also states that HHS will first try to resolve potential violations by `informal means.' While such an approach is a reasonable response to minor and unintended violations of the rule that occur within the first six to 12 months the rule is in effect, it is wholly inappropriate for more serious violations or for covered entities that demonstrate repeated resistance to compliance.

OCR's reluctance to disclose details on the complaints it has referred to the Department of Justice is disconcerting. OCR should make a regular accounting of the number of complaints it has received, their nature and how they have been resolved. Furthermore, OCR should launch a more ambitious campaign - and account for its effort annually - in educating the public about its rights under HIPAA. OCR can go a long way toward educating both consumers and covered entities that the privacy rule is not just another bureaucratic hurdle to be overcome. The government has a duty to get out the message that the law is intended to safeguard sensitive information within the health care system and encourage greater trust between providers and their patients.

The comments by the Health Privacy Project also pointed to the absence of any role in the enforcement process for the individual whose privacy may have been violated. Although individuals are responsible for bringing violations to OCR's attention, they have no role in the enforcement process and can't be compensated if they are harmed. Any penalties are paid to the government, not to the individual. Individuals are allowed to participate in enforcement proceedings only if called as a witness by the HHS secretary or the covered entity against which the complaint was filed. HHS is not required to inform the individual of the date of the hearing or provide any opportunity to submit testimony. The interim final rule should be modified to include testimony or a written statement from the individual whose privacy was violated and to require a notice to the individual of the date, time and place of the hearing.

To protect patient privacy, HHS should:

•        Conduct periodic compliance reviews of covered entities;

•        Step up its public education regarding individual rights under the privacy rule;

•        Provide a detailed report annually to Congress of all complaints filed, how they    have been resolved, as well as account for the agency's enforcement activities that are not 'complaint driven;'

•        Allow individuals to participate in hearings regarding their complaints; and

•        Amend the privacy rule to allow people the right to sue in federal court for alleged violations. Congress and the executive branch should monitor state lawsuits brought by people who believe the privacy rule was violated.

    About the authors:

Janlori Goldman is director of the Health Privacy Project. The Health Privacy Project is dedicated to raising public awareness of the importance of ensuring health privacy in order to improve health care access and quality, both on an individual and a community level. Ms. Goldman can be reached by e-mail at jgoldman@healthprivacy.org.

Katharina Kopp is the Program manager for the Health Privacy Project. In this capacity, Dr. Kopp manages the Project's Consumer Coalition for Health Privacy and engages in research, policy analysis and public education on a variety of issues, including the HIPAA privacy regulation, genetics and privacy and bioterrorism and public health.

Elizabeth Ida Tossell, the Health Privacy Project's research assistant, contributed to this piece. Ms. Tossell is a graduate of Yale University, and is sharing with HPP her research and writing skills - as well as her passion for improving the world - until she goes to law school next year.

The views expressed in this column are those of the authors and do not represent the views of the California HealthCare Foundation or the Advisory Board Company

 iHealthBeat is published daily for California HealthCare Foundation by The Advisory Board Company.

© 2001 The Advisory Board Company. All Rights Reserved.

To subscribe to iHealthBeat please visit www.ihealthbeat.org