HIPAA enforcement is upon us, or is it? Have you seen any HIPAA police yet? Or, is HIPAA enforcement a toothless dragon? Is the industry faced only with soft enforcement?
Types of HIPAA enforcement
We should first look at the types of enforcement possible under HIPAA law and regulations, other laws and regulations and individual perspectives on how, when and where they can enforce the HIPAA standards.
Within the HIPAA law and the related regulations, civil and criminal enforcement typically starts with a compliant. The complaint can be made by anyone who thinks he or she has seen a breach or violation based on a specific HIPAA requirement. The complaint does not have to be made by an individual or a covered entity who has been wronged. The complaint may pertain to something that you have done -- or not done (e.g., some event that happened within your practice or at a health plan office or something that you should have done and did not do). Something not done is called an omission.
Only if there is a huge problem will the "HIPAA police" act without a complaint being submitted. If something is reported in the newspaper, the HIPAA police may enforce compliance before they receive a complaint.
All HIPAA regulatory requirements may be enforced civilly; you can be fined for your acts and omissions. HIPAA transactions and code sets, identifiers, and security and privacy may all be civilly enforced. Only privacy may be criminally enforced. But we are getting ahead of ourselves in the enforcement story.
The Secretary of the Department of Health and Human Services (HHS) has been given the responsibility under the HIPAA law to enforce the HIPAA requirements and standards. The Secretary, in turn, has delegated the privacy enforcement to the Office for Civil Rights (OCR) within HHS. If a privacy complaint rises to the criminal level OCR refers the complaint to the Department of Justice (DoJ) for investigation and possible prosecution. All the other HIPAA requirements and standards enforcement has been delegated to the Office of E-Health Standards and Services (OESS) of the Centers of Medicare and Medicaid Services (CMS) within HHS. Both OCR and OESS can direct that the covered entity pay civil monetary penalties.
Both OCR and OESS want to solve all complaints informally by working with the covered entity that has the HIPAA issue. To date, they have succeeded in doing this in all but a handful of complaints. Only a few privacy complaints have been sent to the DoJ. Plus, no known fines have been levied. If a complaint includes a privacy and a security act[s] or omission[s], then OCR and OESS work together to resolve the problem[s].
Two types of "private HIPAA enforcement" potentially have more teeth and stronger enforcement of a complaint to a federal agency. HIPAA does not give an individual a private right of action; however some states give individuals private rights of legal action under state laws about medical information. Also, in the states with no private right of action, cases are being brought under other state law using the federal HIPAA law and regulations as a standard of care that everyone in health care knows about, or should know about.
The private HIPAA enforcement penalties are now, and will be, monetary. As in other cases, individuals who think they have been wronged will pursue the individuals and businesses with "deep pockets." In other words, those with the money will have complaints against them filed in state courts.
The other type of private HIPAA enforcement is often part of a court case but it need not be. This enforcement is in and by the court of public opinion. Do you want to find your problem on the front page of the local newspaper or on the local television newscast? Probably not, yet this may be the first place where you receive 'notice.' I have seen HIPAA-related reporting on my local television news in the past few weeks; have you seen any news reports?
HIPAA enforcement documents
If you find yourself faced with a complaint, no matter where it originated, you need to review a number HIPAA laws, regulations and notice documents to determine if you have a real HIPAA event or an omission.
First, you must look to both the HIPAA law from 1996 and all the HIPAA regulations since that date. Review the general regulatory standards found in 42 Code of Federal Regulations [CFR] 160, and the specific regulation and section[s] that may have been breached, such as 42 CFR 164.512, for a breach of a permitted privacy use and disclosure.
Second, two HIPAA enforcement regulations have been released in the Federal Register in the past few years. The documents for the enforcement regulation are found at 68 FR 18895, 70 FR 54293 and 70 FR 20223. The final provisions are presented in the general CFR section and include sections for enforcement procedures and how civil monetary penalties will be calculated and enforced.
Third, OESS released a notice document in April 2005 at 70 FR 15329. It outlines the investigation process undertaken when a federal agency receives a complaint for all but a privacy event or omission.
Finally, the regional DoJ staff uses a document when it starts HIPAA criminal investigations and prosecution. The June 1, 2005, memorandum specifies who is subject to criminal penalties. It can be found at www.worldprivacyforum.org/pdf/hipaa_opinion_06_01_2005.pdf
Remember both acts and omissions can be HIPAA mistakes and violations.
Good luck with your HIPAA enforcement. In a future article, I will examine what to do if you find or are told about a HIPAA problem.
Ms. Miller is chief operating officer and chief privacy officer of HealthTransactions.com, a new company forged by two long-time health care hands empowering the health care industry in administrative, clinical and financial transactions. The company provides valuable strategic information that enables clients to move forward using the newest technology to gain efficiencies, interoperability and strength in their market space.