HIPAA Regulatory Alert

Compliance with HIPPA privacy regulation is dropping

Survey says: Don't take compliance for granted

While the majority of health care facilities continue to essentially be in compliance with HIPAA privacy and security regulations, the number that consider themselves more than 85% compliant with the privacy regulation has dropped in the last year. That's one of the key findings in the American Health Information Management Association (AHIMA) 2006 survey — "The State of HIPAA Privacy and Security Compliance."

The percentage of respondents who said they believed their institution was more than 85% compliant dropped to 85% in 2006 from 91% in 2005. Likewise, the percent of respondents who believed they were less than 85% compliant increased from 9% in 2005 to 15% in 2006.

AHIMA analysts said that while this is not a significant change, it is enough to raise concern — especially given that 55% of respondents said that adequate resources are their most significant barrier to full privacy compliance. "Privacy officers particularly need support for education and training of new staff, while a lack of resources and competing priorities have led some hospital and health system staff to slack off regarding all aspects of the privacy rule," the survey report said.

"The issue of budget also appears to impact the level of privacy training and monitoring that a privacy officer or staff are capable of providing," the report continues. Finally, privacy officers report sensing a loss of support from senior management, both in ensuring that facility staff are aware of the need for privacy, as well as ensuring sufficient budget for education."

Dan Rode, AHIMA's vice president for policy and government relations, tells HIPAA Regulatory Alert it is becoming obvious that if organizations don't keep at it and reinforce behaviors necessary for compliance with the privacy regulation, it starts to lose meaning and bad habits from the past, such as leaving files open on a desk or talking about patients in an elevator, start to occur again.

"I think some things are going to happen" to bring more resources to bear on the issue, Rode says. "There have been a number of high profile incidents recently, like the loss of VA data and a Government Accountability Office report that there are serious security deficiencies in computer systems at the Department of Health and Human Services [HHS]," he says.

"These revelations are leading to discussions on how to keep records more secure. Privacy officers are trying to use these incidents to leverage their administration for more resources and support to do the job right."

Security compliance continues to increase

With the HIPAA security regulation, 25% of surveyed facilities indicated compliance at the top level, with another 50% saying they are close to full compliance. That represented an increase over 2005, when 17% of all respondents described themselves as "completely compliant" and 43% said they were 85% to 95% compliant.

"It appears that the security regulations were much easier to achieve than the privacy rule," AHIMA analysts said.

Three years after implementation of the HIPAA privacy rule, the AHIMA survey reached these conclusions:

1. HIPAA implementation has been a challenge for organizations, and it appears that for the majority the challenge has been met. However, the need for privacy, confidentiality, and security remain, especially as organizations tighten staffing and budgets. A slight drop in the number of facilities reporting themselves to be fully or mostly compliant with HIPAA should serve as a warning to the industry that compliance should not be taken for granted.

2. If the support for privacy and security and the need for ongoing training are not maintained (and in a few areas increased), all the work that has been put into HIPAA compliance efforts over the last few years may be undone over time.

3. The need for support of privacy and security must also reach beyond facilities. The federal government's approach to HIPAA enforcement has been to educate rather than to fine or prosecute offenders. While we applaud this approach, a concerted effort to educate and remind the health care industry and others of the need to maintain and continually improve privacy efforts is equally needed.

4. The health care industry has much to learn from HIPAA as it moves toward electronic health records and a nationwide health information network. There is considerable disagreement on whether electronic health records will improve privacy or security and there are many concerns on how information networks will protect data. Consumers will be watching the health care industry to see how well it complies with HIPAA rules before they put their trust in a national health information exchange. Communicating with consumers, answering their questions, and addressing their concerns may be key to advancing health information exchange activities. Privacy officers and health information management professionals will be important partners in this process. AHIMA believes that the time is right for an open dialogue about the value of privacy at both the national and organizational levels.

Rode says, most providers are growing accustomed to the various provisions of the privacy rule, but there still are reports of difficulties with specified requirements. Many respondents would like to see changes in the accounting for disclosure provision of the privacy rule. Most commonly, he says, respondents have received at most a few requests for an accounting.

He says that for many respondents the provision is not only burdensome but also significantly inefficient. The problem could easily be addressed while ensuring that individuals would have an accounting for all releases not covered by authorization or law. A major impediment, he says, is that most organizations still are paper-based and it's hard to deal with a complete accounting in a paper environment.

According to Rode, health care organizations and the general public remain in a HIPAA transition period, even three years after implementation, and the transition will continue until there has been a major adoption of electronic health records. He says that many of the issues that are problems today can be resolved easily when there is a critical mass using electronic records. "But we're still moving slowly," he concluded. (Download the AHIMA report at www.ahima.org/emerging_issues/2006StateofHIPAACompliance.pdf. Contact Dan Rode at (312) 233-1100.)

Still no privacy fines

The mainstream media has picked up on the fact that enforcement of the HIPAA privacy regulation has not included any civil fines and only two criminal prosecutions. The Washington Post catalogued 19,420 grievances filed in the three years since protection for private medical information took hold, with more than 14,000 of the cases closed by the government, "either ruling that there was no violation or allowing health plans, hospitals, doctors' offices, or other entities simply to promise to fix whatever they had done wrong, escaping any penalty."

The Post reported the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained, or patients were frustrated getting their own records.

"Our first approach to dealing with any complaint is to work for voluntary compliance," said Department of Health and Human Services Office of Civil Rights Director Winston Wilkinson. "So far, it's worked out pretty well."

Hospitals, insurance plans, and doctors may agree with Wilkinson's assessment, but it has been strongly criticized by privacy advocates and some health care industry analysts who say the Bush administration's decision not to enforce the regulation more aggressively has not safeguarded sensitive medical records and has made providers and insurers complacent about compliance.

"The law was put in place to give people some confidence that when they talk to their doctor or file a claim with their insurance company that information isn't going to be used against them," Health Privacy Project founding Director Janlori Goldman told the Post, "They have done almost nothing to enforce the law or make sure people are taking it seriously. I think we're dangerously close to having a law that is essentially meaningless."

The Post said the debate has intensified because of a government push for computerized medical records to improve health care efficiency and quality. Privacy advocates have expressed concern that large, centralized, electronic databases will be especially vulnerable to attack, making it even more important that safeguards be vigorously enforced.

Don't know if fines are needed

Wilkinson declined to discuss specific cases but said his staff have "been able to work out the problems… by going in and doing technical assistance and education to resolve the situation. We try to exhaust that before making a finding of a technical violation and moving to the enforcement stage. We've been able to do that." He said that with some 5,000 cases still open, there might be a need for some fines but "we don't know at this stage."

Those responsible for complying with the law generally praise the HHS approach to enforcement. "It has been an opportunity for hospitals to understand better what their requirements are and what they need to do to come into compliance," said the American Hospital Association's Lawrence Hughes. And American Academy of Family Physicians President Larry Fields said physicians "are more used to the government coming down with a heavy hand when it's unnecessary. I applaud HHS for taking this route."

But health care consultants say the lack of penalties has led to organizations becoming complacent about protecting patient records. They cite the latest AHIMA survey.

"They are saying 'HHS really isn't doing anything so why should I worry?'" said Apgar & Associates consultant Chris Apgar.

Wilkinson said the limited size of his staff prevents them from doing more than to respond to complaints. "We've had challenges with our resources investigating complaints," he said. "We've been successful with voluntary compliance, so there has not been a need to go out and look."

The privacy advocates counter that other federal agencies, such as the Securities and Exchange Commission and Federal Trade Commission, take a different approach, looking for significant and high profile cases that will send a message to industry.

"The law came about because there was a real problem with people having their privacy violated," Goldman said. "They lost jobs, they were embarrassed, they were stigmatized. People are afraid. The law was put in place so people wouldn't have to choose between their privacy and getting a job or going to the doctor. That's still a huge problem."