Aloha! This is my first post in two weeks, because I have been on vacation. I had intended to post at least once while on vacation, just so I could say Aloha from Oahu or Kauai, but I did not have time (or convenient high speed internet access.) I will briefly say that my wife and I did have a wonderful time in Hawaii. (Nothing like 75 degrees and sunny in February.) As most of you will agree, the first day back from a vacation is always busy, and, therefore, this post will be somewhat shorter.
While I was gone, HHS published the final HIPAA enforcement rule. Most of this rule will only concern you if you receive a notice of proposed penalty. There are a few things you should be aware of before then. First, if you receive a notice of proposed penalty, you have ninety days to appeal the notice -- ninety days, not sixty. I point this out, simply because it is another, different timeframe and although it gives an entity more time to evaluate whether it wants to file the appeal or not, it can lead to confusion. I am always in favor of longer timeframes, because it provides a longer time frame in which to try to resolve a matter before having to initiate an appeal. The rule also states the specific requirements for how an entity may request an appeal of a proposed penalty. As with any administrative appeal, failure to meet all of the stated requirements will result in the appeal being dismissed.
The rule gives HHS authority to settle and this authority includes the authority to reduce the proposed penalty. The rule also provides affirmative defenses, rights of the parties, and procedures for the appeal of a penalty and an appeal of the ALJ decision. The final rule is effective on March 16, 2006.
Permalink
According to IT Research Group HIPAA is an ineffective “toothless tiger.” The group laments the lack of convictions for HIPAA violations and believes a complaint driven system is ultimately ineffective. The group feels that healthcare executives need to be subject to liability for HIPAA violations in the same way they are subject to liability under other federal laws. The Group also feels that HIPAA should be enforced more vigorously, in a manner similar to the Fair Credit Reporting Act. Based upon what I have seen from providers, the vast majority are complying, in fact, they were guarding patient privacy quite well before HIPAA. Because of this experience, I disagree with the idea that the government needs to enforce HIPAA more rigorously.
The groups complaint overlooks is the difference between medical records privacy and other privacy laws. The medical profession, like the legal profession, has a long history of zealously guarding patient privacy. Patient privacy was governed by laws, regulations, and professional ethics long before the federal government decided to regulate patient privacy. HIPAA, let us not forget, was a classic example of one or two well publicized mistakes leading to a rather sweeping, and unnecessary, federal regulation. Patient privacy is not in any danger because the Feds have only obtained one conviction since 1996.
Furthermore, the fact that the feds have only prosecuted one case to conviction does not mean that providers are failing to comply with the rules. It is partially a reflection on the lack of resources, but also the prioritization of the Department of Justice. The DOJ has made it very clear that they do not intend to prosecute HIPAA criminal violations. Frankly, many criminal violations of HIPAA would also be violations of other criminal statutes. (HIPAA does not make it crime to inadvertently disclose PHI, there has to be some level of criminal intent.) Individuals such as the gentlemen out west who was convicted of a criminal violation of HIPAA will still be subject to criminal prosecution for obtaining patient PHI for their own use, with or without HIPAA prosecutions. In that case, the defendant was charged with a number of other federal crimes, but pled to a violation of HIPAA.
The other complaint is using a complaint driven enforcement model. Many federal regulations are enforced through a complaint driven model. I can think of two examples, wage and hour regulations and EEOC. Both of these regulations are sweeping and more directly affect individuals than HIPAA. However, the enforcement of these matters is driven almost exclusively by complain and they are enforced quite thoroughly. Complaint driven models can be a very effective way to enforce a regulatory scheme.
All of the discussion of enforcement stems from a belief that without sweeping government regulations that are enforced vigorously, patient information will not be protected. However, patient information was protected for many years before HIPAA. Enacting HIPAA has created yet one more regulatory monster for health care providers to tame, but the large cost of HIPAA compliance has not resulted in a similarly large increase in the protection of patient confidentiality. Subjecting health care providers to even more draconian prosecution efforts in Sarbanes Oxley style HIPAA enforcement will only serve to drive the costs of compliance up, yet will not likely reap any further benefit in patient privacy.
This is because health care professionals were going to great lengths to protect patient privacy before they began implementing HIPAA. Unlike other professions that are not regulated by federal laws, health care professionals took it as a fundamental matter of professionalism to keep patient information confidential. HIPAA compliance did not change a great deal for health care providers, except increasing by one the number of policies and procedures manuals on their shelves.
Permalink
