• E-mail
• Print
• RSS

The OCR on enforcement: Patients' rights get priority

HIPAA Training Advisor, June 28, 2007

Patients have consistently complained to the OCR that they're having trouble accessing their medical records, and now the agency has responded-it prioritizes these concerns when investigating HIPAA complaints.

"This has been an issue that has uniformly been in the top five [of privacy complaints]," says Susan McAndrew, JD, deputy director for health information privacy in the OCR. Patients who file these sorts of complaints might believe that covered entities have denied them access to their records, that they haven't supplied access to the records in a timely manner, or that they charge too much to obtain copies of the records, she says. "We've put some priority on that type of complaint to make sure we validate the public's right to access. It's something the public values and it's something that some entities are having difficulty implementing correctly."

For the last six months, regional offices have been expediting investigations regarding patient rights under HIPAA, from cases about medical record access to the right to amend those records. The agency is speeding up its processing of those complaints, McAndrew says.

In most cases, covered entities have good policies to ensure access, but they don't seem to be living up to them because of poorly-trained staff or mistakes, such as lost paperwork. Sometimes, however, especially at first, covered entities were unaware of their obligation to provide access to records or were withholding them in order to get patients to pay their bills. These types of cases still come up frequently, says McAndrew. "We're identifying those cases that need prompt attention."

Trends to watch
The OCR had received more than 27,000 complaints about HIPAA privacy as of April 30. Of those, 4,577 resulted in corrective actions by covered entities; in 2,203 cases, the agency found there was no violation. The agency closed another 14,297 cases because the complaints were not eligible for enforcement.

The most frequent investigations were about:

1. Impermissible uses and disclosures of PHI
2. Inadequate safeguards for PHI
3. Failure to provide patient access to PHI
4. Failure to meet the minimum necessary rule
5. Improper authorizations

There has been one positive trend. When the rule first went into effect, the top five complaint categories typically included the failure to give patients a notice of privacy practices. But those complaints have steadily declined, McAndrew says.

In addition, the most common types of covered entities that have had to take corrective action are private physician practices, hospitals, outpatient facilities, health plans, and pharmacies. Physicians and hospitals top the list because they have the most patient interactions, McAndrew says.

Web site to the rescue
The agency recently launched a new enforcement Web site that gives up-to-date statistics about its enforcement actions, along with case examples that describe the kinds of violations the OCR is seeing and how it resolved them.

"Through case examples, we hope to better communicate with the communities we oversee," McAndrew says. The aim is to help facilities improve their internal procedures to correct mistakes, and to prevent mistakes from happening in the first place. The agency plans to expand the number of case studies to provide covered entities with more guidance over time, McAndrew says. Click here for more information.

Among the case studies is an example in which a private physician practice gave a patient a summary of her son's medical record instead of a complete copy, because practice staff looked only to state law for guidance. However, the OCR ruled that HIPAA allows covered entities to release a summary only if the patient agrees to it; in this case, the OCR required the covered entity to provide access to the full record and revise its policy.

Such examples are worth checking out for covered entities that want to understand what the OCR is looking for, says Norbert Kugele, JD, healthcare attorney and partner at Warner Norcross & Judd, LLP, in Grand Rapids, MI. But they're only a start.

Culture change necessary
"We're not seeing that level of detail from HHS about how they're interpreting HIPAA," says Kugele. "If we could get that level of detail, it would give covered entities some guidance about whether what they're doing is enough. I don't think it will give covered entities as much information as they would like, but it's better than nothing."

But focusing on national trends in enforcement may not be the best way for covered entities to stay out of trouble, McAndrew says. "I really think they are better served looking at their own patient base and the interactions they're having with their own particular clientele . . . [rather] than spending a lot of time wondering what the other guy is doing or what national trends show," McAndrew says. "That's where the culture change needs to be. Make sure that privacy just simply gets embedded in everyday activities."

One area of perennial interest to covered entities is whether the OCR will change its current enforcement stance and start imposing civil monetary penalties. "You're not going to have compliance until you have fines because the people who set budgets are putting resources where they perceive the greatest risks," says Kugele. "The perception now is you get one free violation. You're just going to get a slap on the wrist."

But McAndrew says the current system is working because covered entities are cooperating with the agency and fixing problems voluntarily when the agency asks them to do so. She says the OCR is, and has always been, prepared to assess fines if necessary. But, so far, it hasn't been necessary, she says.

"We've been able to get this kind of good resolution and change in [more than] 4,000 cases," says McAndrew. "I think it's wrong to look at civil monetary penalties as a real true measure of how strongly this program is being enforced. I just continue to struggle with putting a lot of stock in an enforcement scheme that is based on handing out something that would be equivalent to a speeding ticket at a $100 per violation." She also says assessing fines might be counter-productive because it would put the agency and covered entities on an adversarial footing.

Although the risk of fines may not be high, a violation could cause other headaches for covered entities, Kugele warns. It might spark an investigation on the state level, where regulators may have additional power to impose penalties. It could also expose the organization to the risk of litigation, because attorneys are increasingly pointing to HIPAA as a standard of care that hospitals have violated when suing for negligence or other claims.

Violations can also lead to bad publicity. "[No] hospital wants to make headlines that they're not protecting people's privacy," Kugele says.

Although the privacy side of HIPAA draws, by far, the most complaints, the security rule is also an enforcement issue-though there's been little action to date. Recently, the HHS Office of Inspector General started its first security audits, which has sparked talk of possible increased enforcement on the federal level.

In addition, security is getting a great deal of attention from states. So far, 38 states have passed security breach notification laws. States are also imposing regulations regarding proper disposal of data and setting security standards for personal information across the board-which also affect healthcare. This is important because healthcare facilities are licensed by the states and generally have more contact with state regulators, Kugele says.

"The perception is that HIPAA enforcement is so unlikely that you're probably more worried about state enforcement," he adds.

• E-mail to a Colleague
• Print
• RSS
• Archive