• E-mail
• Print
• RSS

Time's up: HIPAA privacy rule is now enforceable

HIM Connection, April 1, 2003

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

Dear Colleagues: Yesterday's HIPAA privacy rule compliance deadline has come and gone, but that doesn't mean covered entities are slowing down their training and awareness efforts. Now that the privacy rule is enforceable, it's important to stay aware of the penalties associated with a privacy rule violation.

Penalties for HIPAA noncompliance are described in the legislation itself. The law provides for civil penalties of up to $100 for each violation. The total amount imposed on a covered entity for all violations of a single requirement may not exceed $25,000 during a calendar year.

In several public presentations, the Department of Health and Human Services (HHS) has issued further clarification on how the penalties for noncompliance will be levied. For example, HHS staff members have indicated that the word "requirement," as used in the legislation, refers to each individual standard. There are 57 "standards," or requirements in the final privacy rule. Although it is unlikely that a covered entity would violate every one of these rules, it is conceivable that an entity could pay up to $2 million a year in fines, based on the maximum penalty multiplied by the number of privacy, security, transactions and identifier requirements.

The final privacy rule identifies the Office of Civil Rights (OCR) as the enforcement agency for violations of the privacy rule. Fortunately, the OCR is known for its willingness to work with organizations to bring them in compliance before levying stiff penalties. The privacy rule further specifies that, when HHS investigates an entity based on a suspected HIPAA violation and finds that the entity is not in compliance, HHS will attempt to "resolve the matter by informal means whenever possible."

It is important to recognize that HIPAA is not a funded mandate. This means that Congress did not appropriate any additional funds for HHS to enforce the legislation's requirements. The rule's administration simplification provisions were intended to return benefits to all covered entities, including government health plans and providers. However, these benefits won't come until after implementation--for both the government and covered entities.

As a result, the government will not likely be in a position to proactively enforce the regulations. Government enforcement will more likely occur as a result of complaints filed with the Secretary of HHS. Even before the compliance deadline, HHS had received privacy complaints, although no action has been taken yet. The privacy rule notes that HHS will "see the cooperation of covered entities in obtaining compliance" and may "provide technical assistance to help covered entities comply voluntarily with the requirements," and specifies that any person may file a complaint with the Secretary of HHS. The department's language on this issue, including phrases like "cooperation" and "comply voluntarily" leads one to believe that the government will rely heavily on complaints and the marketplace for enforcement.

This week's HIM Connection was adapted from the book "HIPAA Made Simple: A Guide to Fast-Tracking Compliance, Second Edition" by Margret Amatayakul, MBA, RHIA, FHIMSS. Click here for more information or to order your copy. Also, check out the Editor's Choice section below for our new edition of the Medical Records Documentation Guide to the JCAHO 2003 Standards.

Sincerely,

Laura Motta
Editorial Assistant
lmotta@hcpro.com

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive