DOJ raises stakes on enforcement of HIPAA regs
DOJ raises stakes on enforcement of HIPAA regs
Former DOJ official says the government won’t have to prove intent to prosecute under privacy regulations
Health care providers may be accustomed to battling prosecutors over whether not violations of federal law were "knowing and willful" before facing prosecution. But when it comes to enforcing patient confidentiality regulations included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the government will simply have to prove the law was broken in order to prosecute providers. That’s according to John Bentivoglio, who until just a few weeks ago was chief privacy officer at the U.S. Department of Justice.
"For criminal defense attorneys and others that handle health care fraud matters, this is a critical distinction, and it raises the stakes significantly for non-compliance," Bentivoglio warned health care providers at the Philadelphia-based Healthcare Compliance Association’s (HCCA) conference in Washington, DC last week. The good news is that providers will likely have until year’s end to prepare for the new law. Declarations by senior Clinton Administration officials that the privacy regulation would be out by Election Day (Nov. 7) have vanished. Now, senior Health and Human Services (HHS) officials say they hope to have the final regulation completed by the end of the year.
That won’t change the way DOJ interprets the regulation once it is released, cautions Bentivoglio, now with the law firm Arnold & Porter in Washington, DC. He says that’s because any person who knowingly obtains personal health information relating to an individual or discloses that information to another person is ripe for prosecution, regardless of intent.
"I have heard a lot of discussion about how the criminal provisions require intent or malice," asserts Bentivoglio. But he argues that the "plain text of the statute" says otherwise. "The government is only required to show knowledge of the act not knowledge that it is wrongful," he asserts.
Meanwhile, Health and Human Services (HHS) officials refuse to speculate on how the presidential election might impact the shape of the final regulation. But Paul Stewart, a partner with Foley and Lardner in San Francisco, warns the affect may be profound. That’s because Vice President Gore recently called for sweeping changes to the proposed HIPAA regulations that would dramatically alter the privacy landscape for providers.
Among other things , Gore wants is to include a private right of action that would give individuals the right to sue a covered entity directly. "That is a very significant change if it comes to pass," warns Stewart. "Everybody should be significantly concerned about that because, at a minimum, it will take additional dollars out of the health care system."
Gore also wants to increase the penalties for violations, notes Stewart. "That is quite significant because the penalties are draconian even as they currently exist," he says. In addition, Gore wants to require patient consent before personal information is used in operational areas. According to Stewart, that would radically change the current proposal.
Stewart cautions providers that HIPPA is not "the be-all and the end-all" of compliance planning. "HIPPA is part of the story," he says. "It is not the whole story." He points out that providers must continue to comply in many instances with existing state laws and that many of those laws are more stringent than HIPPA.
But it doesn’t end there. "There are also competing federal laws out there," asserts Stewart. One of them is the electronic signature regulation signed by President Clinton and now in effect. That regulation eliminates federal and state requirements for hard copies and hard signatures with respect to health information. Unfortunately, Stewart says it conflicts with HIPAA in several important areas, and it’s unclear whether it will require patient consent for the transmission of patient information electronically.
As far as the electronic standards requirements, HHS Senior Attorney Donna Eden says the department expects the economic benefits to drive their adoption. "I don’t foresee data police," she says. "If we have to rely on enforcement heavily, then we have not chosen the right standard."
"That unfortunately is not the case for privacy," warns Karen Trudel, HHS advisor on health information policy. "We don’t have the same kind of self-enforcing regulatory opportunity."
Eden refused to even speculate how much money the average 150-bed hospital should budget for privacy compliance. "I think there are too many variables to be able to answer that question," she maintains. Eden says the first issue confronting hospitals is what they are not now doing that they will need to do under HIPAA." She says that process should begin with "gap analysis" for security, privacy and electronic data interchange (EDI).
"As far as EDI is concerned, a translator and the requirement to mask your data file to that translator is the main expense, but you have to do that gap analysis to know what you are not doing now," says Eden.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.