HIPAA Regulatory Alert

OCR reports more than 5,000 complaints

Largest number filed against private practices

As of April 2004, the Department of Health and Human Services’ Office of Civil Rights (OCR) had received more than 5,000 complaints from individuals about alleged HIPAA privacy violations. New Haven, CT-based Wiggin & Dana attorney Jennifer Wilcox says the largest number of privacy complaints was lodged against private practices, followed by hospitals, pharmacies, and health plans.

By the end of June, OCR had closed 48% of the complaints, including many that were settled easily on jurisdictional grounds — such as complaints involving problems before the compliance date, complaints against noncovered entities, and complaints filed more than 180 days after an incident. Wilcox says the complaints that OCR decided warranted further investigation fall into three broad categories: lack of adequate safeguards such as leaving charts in public areas or computer screens exposed to patients, etc.; improper accessing of protected health information, such as employees accessing protected information for nontreatment related reasons; and impermissible disclosure of protected information to third parties not involved in treatment.

According to Wilcox, OCR has received a large number of complaints about failure to disclose protected health information to family members. Although such a failure is not a HIPAA violation, OCR says it has provided technical assistance to providers who are the subject of such complaints so they realize that HIPAA permits such disclosure in many instances.

"Questions of disclosure to family members have received a lot of media attention since the HIPAA privacy act compliance date," she says, "and many providers who initially adopted very strict policies may be relaxing their approach due to the backlash. While providers may wish to be flexible in adapting their policies based on customer and patient feedback, they still need to remember that improper disclosures to family members can have serious implications."

To date, OCR has not sought civil monetary penalties or other official sanctions for any cases it has investigated. Wilcox says agency officials have indicated that providers have been cooperative with investigators, readily strengthening their policies or implementing training efforts in response to complaints. According to the OCR director, she reports, 50 complaints have been referred to the Department of Justice, the agency charged with investigating and enforcing criminal violations of HIPAA rules. OCR staff also indicated there are no plans to institute audits, compliance reviews, or other efforts to affirmatively look for violators.

Few court cases have yet addressed the HIPAA privacy rule, Wilcox says, although some courts have considered the privacy rule’s pre-emption provisions in connection with several discovery requests and subpoenas. Analyses and interpretations of the courts that have looked at the provisions suggest that HIPAA pre-emption will be a difficult issue for courts to deal with in coming years, as seen in these decisions:

• A federal court in Louisiana ruled that HIPAA was more protective of patient privacy than state law, even though state law allowed patient records to be disclosed only with patient consent or based on a court order entered after a hearing.

• A federal court in Maryland concluded that HIPAA pre-empted a Maryland law that requires health care providers to disclose to defense legal counsel medical records relating to a patient’s health, health care, or treatment that forms the basis of a civil action instituted by a patient, without the patient’s authorization.

• A New Jersey state court said HIPAA did not pre-empt a practice authorized by state Supreme Court precedent in which defendants in all personal injury cases are permitted to conduct informal interviews with plaintiffs’ treating physicians as long as specific patient authorization requirements are met. The court determined that the interviews did not conflict with the general principles of HIPAA and, as HIPAA does not expressly address informal discovery, New Jersey law should govern the practice. But it required that the authorization forms used be revised to meet HIPAA requirements.

• The question of HIPAA pre-emption also has come up in two courts that were addressing the constitutionality of the Partial-Birth Abortion Act of 2003. During discovery in those cases, U.S. Attorney General John Ashcroft issued subpoenas to several hospitals in New York and Illinois seeking medical records of women on whom certain abortion procedures had been performed. The court issued a protective order requiring elimination of certain identifiable information. In both cases, physicians argued that more stringent state laws precluded the disclosure. In the New York case, the court decided that the New York law did not apply to federal cases, while the Illinois court said that Illinois law applied because it was more stringent. The Seventh Circuit has affirmed the decision in the Illinois case, while the Second Circuit has stayed the New York court’s order pending its decision. The government has withdrawn its subpoena for the New York hospital records, and Wilcox says it is thus unlikely the appeals court will rule on the legal questions.

Compliance deadlines

Extended deadlines for some compliance tasks have arrived, and covered entities should be sure they are up to date. Wilcox says covered entities were required to execute business associate agreements with vendors by April 14, 2004, and providers should be reviewing their contract process to be sure all existing vendor agreements are reviewed and business associate language added where appropriate.

Also, small health plans (spending less than $5 million on premiums or health care costs) had an additional year to comply with the privacy rule. Many of the smaller plans are fully insured and have significantly fewer compliance obligations. Wilcox advises organizations that sponsor benefit programs for their employees to review the nature of the benefits and be sure they are aware of what their compliance obligations are. Common programs such as flexible spending accounts that reimburse medical expenses or employee assistance programs may be considered HIPAA-covered entities, she says, and even smaller self- insured plans require compliance steps.

The HIPAA security rule compliance date of April 21, 2005, is the next major hurdle. Wilcox says HIPAA security implementation needs to be structured and documented according to the security rule’s standards and implementation specifications. Although specific information technology solutions will help in achieving many of the security standards, she says, there also are organizational, systemic, and documentation issues that must be addressed.