Enforcement of privacy regulations still uncertain

Now that the Department of Health and Human Services (HHS) has released final privacy regulations for the Health Information Portability and Accountability Act (HIPAA), enforcement of the new rule is a major concern. "The scariest thing about the new rule is that in many instances, it may give hospitals and others a false sense of security," says Eileen Boyd, managing partner at KPMG in Washington, DC. Because hospitals are not required to have patients sign off regarding consent, she says many hospitals may overlook the fact that they lack necessary policies.

According to Boyd, many hospitals still lack sound policies and procedures regarding what information they will or will not give out. "For many, there will be a very false sense that they have won something here they have not won," says Boyd, a former senior attorney at HHS who helped draft much of the privacy regulations.

In terms of enforcement, Mary Grealy, president of the Healthcare Leadership Council in Washington, DC, says that, over the next 12 months, everyone who is affected by the regulation will have to work in collaboration. "I don’t think HHS is going to be on a mad hunt for violations," she predicts. "But they want providers to comply."

Grealy says HHS is not likely to get bogged down by attempting to make sure that providers have everything in place by April 14, 2003. "I think they are going to go after the things that people care about rather than the minutia of the regulation," she says.

Former HHS official Bill Braithwaite takes a similar view. According to Braithwaite, the letter of the law is specific about HHS’ enforcement on the civil side. "The law is quite specific about what the secretary can and cannot do," he explains. "Basically, you can’t fine somebody unless you get to the point where they can comply."

"I don’t expect a lot of civil fines under HIPAA," he adds. "However, I do expect HHS to investigate complaints." In some cases, he says, the agency will help people comply; and in the most egregious cases, it will refer cases to the Department of Justice for prosecution under the criminal penalties.

According to the Health Information Portability and Accountability Act (HIPAA) regulations, HHS is in charge of all enforcement apart from criminal penalties for breaches of privacy. The HHS’ Office of Civil Rights has been designated within the agency to enforce the civil side of privacy.

According to Braithwaite, the assumption is that the Centers for Medicare & Medicaid Services (CMS) will be responsible for the rest of administrative simplification enforcement. "However, they have yet to come out with an enforcement rule that would say exactly how that will be done," he says.

HHS has indicated it plans to come out with an enforcement rule that will lay this out sometime before the first compliance date, says Braithwaite. "On the other hand, there is no requirement for them to do that," he says. "They could just play it by ear and pick up complaints and enforce in some ad hoc way."