HIPAA Audits to Create More Headaches for Physicians

Historically, aside from using common sense, no one really thought too much about protecting patient health information. Speaking with many physicians on the subject, the opinions seem unanimous: It is hard to believe the government doesn’t have anything better to worry about.

The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, the Office of Civil Rights piloted a program to perform test audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase began November 2011 and should conclude in December 2012. Here's more information about the pilot program.

Yet, if it seems strange that the government should involve itself with physician/patient privacy, it seems stranger still that the Office of Civil Rights should be given the task of enforcement. Historically, federal civil rights statutes protect citizens from government (and in some cases, private) infringement upon rights protected by the bill of rights and the 13th and 14th Amendments. These are normally “citizenship” rights, which cannot be infringed upon by the government. As any Constitutional Law scholar can attest, however, there is no Constitutional right to physician/patient confidentiality. In fact, HIPAA confers no private cause of action of any kind, (hence, no rights, civil or otherwise) upon a citizen whose privacy expectations have been violated.

The HIPAA Privacy Rule, among other things, regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, healthcare clearinghouses, employer-sponsored health plans, health insurers, and medical service providers that engage in certain transactions.) By regulation, HHS extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of "business associates." PHI is any information held by a covered entity which concerns health status, provision of healthcare, or payment for healthcare that can be linked to an individual. This is interpreted rather broadly and includes any part of an individual's medical record or payment history. Covered entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.

A covered entity may disclose PHI to facilitate treatment, payment, or healthcare operations without a patient's express written authorization. Any other disclosures of PHI require the covered entity to obtain written authorization from the individual for the disclosure. However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.

Penalties for the non-compliant can be severe. In April, Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Ariz., agreed to pay the HHS a $100,000 settlement amount after an Office of Civil Rights’ investigation found that the physician practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible. This follows a $1 million fine handed down in 2011 against Massachusetts General Hospital, after an employee inadvertently left 192 patient records on a subway train.

Yet, if “patient confidentiality” is not an historically protected right under the Constitution, why is the Office of Civil Rights involved in the first place in protecting patient records?

This is actually a two-part question, with the answer to the question “Why is the government involved in privacy?” making more practical sense than the answer to the question “Why is the Office of Civil Rights involved in something which isn’t a civil right?” The reason the government is involved at all, lies in the fact HHS decided it could save a great deal of money by switching to an expensive electronic system. Yet, a great deal of Congressional hand-wringing concerned the fear of public blow-back if all those binary “ones and zeros” ever got loose. So Congress decided upon a plan whereby the government would reap the financial savings from a new electronic system, but lay blame at the feet of providers if anything went wrong.

As to the question, “Why is the Office of Civil Rights involved?” apparently Americans are very protective of their civil rights - even nonexistent ones. If the government wanted to be taken seriously, (and in the beginning, no one did,) what better way to add cache, than to pretend that accidentally leaving records on a subway somehow is a matter for the Office of Civil Rights?

We know there is no civil rights violation, because HIPAA creates no private right to sue for a violation of HIPAA's confidentiality provisions. (Anyone who has ever tried has been thrown out of court.) Any fines recovered for violations belong to the government - not the patient. Rather than a private right, a patient must file a written complaint with the HHS Secretary through the Office of Civil Rights. It is then within the secretary's administrative discretion whether to investigate complaints and conduct compliance reviews to determine whether covered entities are in compliance. 45 C.F.R. §§ 160.306, 160.308 (2010). Therefore, any claim for invasion of privacy under HIPAA fails as a matter of law.

Naturally, the lack of a financial motive tends to dampen patient enthusiasm for vindication of their “civil rights;” the end result being, auditors are required - because no one else has really ever cared too much about protecting PHIs prior to HIPAA. Nevertheless, for the foreseeable future, all of this will surely mean more headaches, once the pilot audit program concludes, and the full wave of inspections begins.

Find out more about Martin Merritt and our other Practice Notes bloggers.