Enforcement of HIPAA privacy requirements

By Elizabeth E. Hogue, Esq.
Burtonsville, MD

The deadline for compliance with the Health Insurance Portability and Accountability Act (HIPAA) privacy rule, April 14, 2003, came and went with little fanfare. What has happened since that date in terms of enforcement?

There has been one reported conviction for violation of the privacy rule. Richard W. Gibson of Washington entered a guilty plea in U.S. v. Gibson, W.D. Wash. No. CR04-0374FM.

Gibson pled guilty in federal court in Seattle to wrongful disclosure of individually identifiable health information for economic gain. In the plea agreement, Gibson admitted that he obtained a cancer patient’s name, date of birth, and Social Security number while he was employed at the Seattle Cancer Care Alliance. He disclosed this information to obtain four credit cards in the patient’s name.

Gibson then used the credit cards to incur more than $9,000 in debt in the patient’s name. Gibson used the cards to purchase various items, including video games, home improvement supplies, apparel, jewelry, porcelain figurines, groceries, and gasoline for his personal use.

Gibson was fired shortly after the theft was discovered. The government and Gibson agree that he should be sentenced to a term of 10 to 16 months.

In terms of civil enforcement, the Office of Civil Rights (OCR) of the Department of Health and Human Services, the primary enforcer of HIPAA privacy requirements, said in a "Compliance Activity Summary" issued July 31, 2004, that it has received more than 7,577 complaints. Fifty seven percent of these complaints already have been closed.

The cases were closed because OCR lacks jurisdiction under HIPAA. Examples of cases closed on this basis include complaints alleging a violation prior to the compliance date or claiming a violation by an entity not covered by the privacy rule. OCR also has closed a number of complaints in which the activity alleged does not violate the rule, such as when covered entities have declined to permit disclosures when they are not mandatory or when the claim has been satisfactorily resolved through voluntary compliance.

The types of claims most frequently received by OCR are:

  • impermissible use or disclosure of identifiable health information;
  • lack of adequate safeguards to protect identifiable health information;
  • refusal or failure to provide individuals with access to or copies of their records;
  • disclosure of more information than is minimally necessary to satisfy a particular request for information;
  • failure to have the individual’s valid authorization for a disclosure that requires one.

Complaints have been filed most often against the following:

  • private health care practices;
  • general hospitals;
  • pharmacies;
  • outpatient facilities;
  • group health plans.

OCR refers appropriate cases that involve knowing disclosure or obtaining protected health information in violation of the rule for criminal investigation and possible prosecution to the U.S. Department of Justice. OCR has made 108 such referrals thus far.

Based upon that information, it is tempting to conclude that providers, especially long-term care facilities, home health agencies, home medical equipment companies, and hospices are doing an excellent job of compliance with the privacy rule and should simply keep up the good work. Providers should bear in mind, however, that OCR still is in the early stages of enforcement efforts. Enforcement may become more stringent in the future, and providers should remain vigilant with regard to compliance with the HIPAA privacy rule.

[A complete list of Elizabeth Hogue’s publications is available by contacting Elizabeth E. Hogue, Esq., 15118 Liberty Grove, Burtonsville, MD 20866. Phone: (301) 421-0143. Fax (301) 421-1699. E-mail:]