HIPAA Regulatory Alert: HIPAA privacy guidance seeks to maximize voluntary enforcement

Enforcement rule is in drafting stage

In December 2002, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released an extensive guidance outlining various aspects of the privacy portion of the Health Insurance Portability and Accountability Act (HIPAA). That follows a recent decision by HHS to place OCR in charge of enforcing HIPAA’s privacy mandates.

OCR now is in the process of drafting the enforcement rule, says Richard Campanelli, director of OCR. He says that rule will answer questions such as whether it is the company, the chief executive officer, the chief privacy officer, or the person who commits a specific privacy violation who will be fined.

The HHS guidance is not technically binding. "The guidance is not a regulation," says Campanelli. "It is an indication of how we view this and an attempt to clarify and expand on [the rule]," he explains. "It is not a binding document because it has not been published as a regulation."

Paula Stannard, counsel to the general counsel at HHS, points out that the Administrative Procedures Act requires that anything that can impose binding obligations on the public must go through the rule-making process.

According to Campanelli, while the privacy rule implements the foundation of federal protections for protected health information, the modifications released last summer attempt to do that in a way that avoids erecting undue barriers to health care. In short, he says it is the agency’s goal to help covered entities understand the rule and maximize voluntary compliance. "The bottom line is that we are looking to maximize voluntary enforcement," he says.

The final modifications were adopted to improve "workability" of the rule and eliminate unintended consequences that may have arisen from the December 2000 version of the rule, he explains. For example, Campanelli notes that the modifications make advance consent voluntary for treatment, payment, and health care operations while strengthening the notice requirements to patients.

The modifications also make it explicit that incidental uses and disclosures of protected health information are permitted as long as reasonable safeguards are in place and the minimum necessary requirements were observed. In addition, they facilitate research activities and make it clear that public health disclosures are permitted.

Voluntary compliance’ urged

Since the modifications were released last summer, Campanelli says OCR and its sister agencies have emphasized "voluntary compliance" through expanded education. He says HHS now is in the process of developing technical assistance for targeted audiences for various segments. Those guidance documents will be released on a rolling basis over the next few months, he says.

Campanelli encourages providers to review the new guidance, published Dec. 4, which is posted on the OCR web site along with the complete text of the privacy rule. "That is a very helpful tool so you do not have to keep referring back and forth from the modifications to the prior regulation," he says. Fact sheets on the modification and sample business associate contract provisions also are posted, he adds.

According to Campanelli, HHS continues to field thousands of questions regarding privacy. However, many of these questions can be answered by information that already has been released. For example, he says OCR has a covered entities decision tool that is posted on both the HHS web site, which answers many questions about who is a covered entity and how that applies. "We are not saying that will answer all questions," he says, "But it is quite helpful."

Sue McAndrew, senior advisor for HIPAA privacy policy in OCR, says that tool likely will be supplemented to answer additional questions about the definitions of covered entities and how they apply in various situations.

McAndrew says the agency continues to receive numerous questions regarding the status of covered entities and the definitions of health plans and health plan providers. She points out that the primary aim of the guidance is not to address particular scenarios so much as it is to help people learn how to approach those circumstances, understand what they need to think about, and learn how to find the information they require to come to reasonable and correct answers.

According to Campanelli, HHS will continue to provide technical assistance efforts well after the April 14 compliance deadline. Meanwhile, OCR is developing its enforcement program. "At the outset, our enforcement will be compliance driven," he asserts. While OCR has the authority to engage in compliance reviews, that will not be the driving factor at the outset.

Campanelli notes that the privacy rule requires that when OCR investigates complaints, it also provides for notice and an attempt at informal resolution where indication of noncompliance is found. "We certainly intend to do that," he says, "because that is the way we can most efficiently bring about voluntary compliance and the protection of individual’s health information."

He also points out that the vast majority of all complaints at OCR are resolved with informal rulings. "That is certainly our goal here," he says. "We anticipate that many issues will just be a question of education and compliance."

While OCR is not yet authorized to pursue investigations, Campanelli says the agency already is receiving many letters on issues such as access to records, which will be required under the rule. "We believe many of these issues can be resolved just by quickly getting in touch and informally resolving it with the organization," he says. "It will be a matter of education."

Campanelli notes that covered entities will have 30 days to cure a violation if it knew or should have known about a violation. "That 30-day period may be extended by the department," he adds, "so there is plenty of opportunity for voluntary compliance."

In the event permission is not granted, the agency may impose civil monetary penalties (CMPs). Penalties amount to $100 per violation or a maximum of $25,000 in a calendar year for repetitions of the same violation. However, CMPs will not be imposed if the penalty is punishable as a criminal offense. "There is no overlapping jurisdiction there," he adds.

Likewise, CMPs may not be imposed if HHS determines that the person did not know and by exercising reasonable diligence would not have known it was a violation. Also, they cannot be imposed if failure to comply was due to reasonable cause rather than willful neglect and if the problem was corrected in the 30-day period.

McAndrew says the agency is using guidance to answer "burning questions" that had been addressed in previous guidance. The agency also added some new topic areas that were not included in earlier guidance. "This is the start of an ongoing process where we will be expanding the guidance material," she says. When OCR is unable to publish guidance, it will continue to answer specifics through its "Frequently Asked Questions," she adds.