How the Office for Civil Rights is handling reported HIPAA violations
Roberta Shue simply wanted a copy of her contact lens prescription, and as the training coordinator for medical privacy and other issues at a government office in York County, Pa., she knew the ophthalmologist was required to give it to her.
So when the physician's technician informed her that it was against office policy to grant her request, Shue also knew how to respond. She filed a complaint with the Office for Civil Rights (OCR). This division of the Department of Health and Human Services (HHS) enforces the privacy rule, the part of the Health Insurance Portability and Accountability Act (HIPAA) that gives patients the right to their own medical information, among other provisions.
Within five weeks, Shue not only had her prescription, but also a note from the physician and a follow-up letter from OCR.
"There was no admission of wrongdoing," by the physician, Shue says. "Just a statement that their new policy permitted the release of contact lens prescriptions when requested by the patient."
Shue wonders whether the physician -- whom she declined to identify -- misunderstood the rule as it applies to contacts, or wanted to withhold the prescription so Shue would have to order the lenses through the doctor's office. Regardless, Shue filed the complaint because it seemed pointless to argue with the technician, and she wanted to "test the system" to see how OCR would respond.
According to OCR director Richard Campanelli, Shue's situation is an accurate reflection of his office's experiences enforcing the privacy rule, both in the type of complaint received and the resolution. In fact, OCR has not yet imposed any civil monetary penalties on any groups or individuals, called covered entities, who must comply with the law.
Penalties to date
Of the 3,700 complaints received by December 2003, the latest period for which totals are available, about 40 percent had been resolved; of those, 60 percent were closed simply because OCR lacked jurisdiction to pursue them, according to OCR. For example, an incident might have occurred before April 14, 2003 (the deadline for compliance with the privacy rule), or concerned an entity not covered by the law. Of course, cases are also marked closed when physicians and others cooperate with officials to address the violation, as in Shue's situation.
"We have seen that most covered entities want to [cooperate]," says Campanelli. "When you get a call from the Office for Civil Rights saying we've had an allegation of a violation of privacy rights, providers pay attention to that."
But OCR has other options in cases of noncooperation. HHS can levy "on any person" who violates the privacy rule a fine of "not more than $100 for each such violation"; the fine can reach up to $25,000 "for all violations of an identical requirement or prohibition" in one calendar year.
Also, the Department of Justice (DOJ), which shares enforcement authority with HHS, can impose criminal penalties if an individual "knowingly" and "wrongfully" discloses health information. Fines and prison time range from $50,000 and one year in jail to $500,000 and 10 years in jail if the intent of the violation was for personal or commercial gain or to cause malicious harm.
Campanelli says that less than 1 percent of all received complaints have been forwarded to the DOJ.
Focus compliance efforts
To reduce the chances of being investigated, practices should work with patients before the patients think of contacting OCR, says Campanelli. "We have encouraged [covered entities] to make it clear that they are available to receive complaints, and the most prudent thing they can do is to quickly respond" to any complainant.
Village Internal Medicine, a four-physician practice in Fayetteville, N.C., received one patient complaint since the rule went into effect, concerning a voicemail message left on a home phone. Office manager Kristin Anderson did exactly what Campanelli suggests.
"I called the patient myself, spoke with her directly, and mailed her the [practice's] complaint form to complete," Anderson says. "I called her back to tell her what we had done in the practice to resolve the problem. It was minor, and the fact that we responded quickly and directly is what satisfied her concerns."
It is also useful to focus on the areas that have generated the most complaints to OCR, Campanelli points out. "[I]mproper disclosures, safeguards, and access -- these are all areas where providers, with a little more attention, could improve their compliance," he says. Concentrate on areas where you and your staff have face-to-face interactions with patients and take steps to ensure that employees are not discussing PHI [protected health information] with strangers and others not involved in a patient's treatment, Campanelli adds.
Violations can occur simply because office staff chat too much among themselves within earshot of patients, or visits are conducted in open exam rooms so conversations can be overheard. These situations are easy to prevent, says Lewis Lorton, chairman of HIPAADOCs, a Columbia, Md.-based compliance firm.
Office staff should continually ask themselves where they are leaking information, and take steps to plug the leak. One common source is phone calls. "Never pick up the phone and use the patient's full name. And if you are giving information to someone make sure you know who they are," Lorton advises.
Anderson agrees with Lorton's emphasis on practicality. "Much of HIPAA is common sense and can work, if communicated properly and clearly to all the parties involved," she says. Describing her efforts to improve communication, she adds, "The receptionists have been given very clear-cut explanations to offer to the patients, so that they understand their part ... . The physicians are reminded, constantly, of the part that they play and what the expectations are." These concepts are reinforced during office meetings, complete with "a little quiz with gag gifts for prizes," says Anderson.
Staff education and preparedness are also important to OCR. Campanelli notes that OCR would not consider a disclosure of protected health information a violation if it were accidental or "incidental" -- as long as the office has reasonable safeguards in place and adheres to the minimum necessary standard. Under this standard, information that is used is supposed to be limited to no more than what the person needs to accomplish the task at hand.
OCR to get tougher?
Privacy advocates are pushing OCR to move from its complaint-driven approach to a more proactive method of assessing compliance, using spot checks and investigations initiated without receiving a complaint. A Washington, D.C.-based advocacy organization, the Health Privacy Project (www.healthprivacy.org), has been independently tracking privacy complaints, and its data reflect OCR's in terms of numbers, types of complaints, and their resolution. The privacy group has been asking people who send complaints to HHS to also send them to the organization.
Privacy project leaders suspect possible violations are underreported, based on the type of complaints that have come in thus far; too few, they say, address the "back shop" healthcare activities, such as improper data sharing, says Katharina Kopp, program manager for the privacy group.
Kopp's group is also urging OCR and HHS to be more open about the enforcement process and cases it is handling. They take issue, for example, with Campanelli's refusal to say much about the cases he has referred to DOJ. Kopp and others want OCR to develop a system for public reporting of the number of complaints received and how they were handled. Typically government officials reveal information about privacy enforcement only when they testify before Congress or the National Committee on Vital and Health Statistics, an advisory body that is monitoring HIPAA compliance.
"We understand that at the beginning people need to get up to speed, but providers have known about this for a long time. We think the whole enforcement strategy has to change, to send a strong signal that OCR is serious about enforcement," Kopp contends.
Campanelli disputes this, saying, "We are seeing complaints arise from all across the country .... Thus far, the voluntary approach looks like an effective approach." But OCR is continually evaluating its enforcement process, he says, and will make changes if necessary.
Theresa Defino can be reached via email@example.com.
This article originally appeared in the April 2004 issue of Physicians Practice.