HIPAA Regulatory Alert: Hospitals don’t want fined entities identified

The American Hospital Association (AHA) says it is “troubled” by a Department of Health and Human Services (HHS) plan to publicize the identity of those covered entities given civil monetary penalties under enforcement of HIPAA’s administrative simplification section. The association also says it is especially concerned over the department’s expectation that consumers will use the information to help choose a health care provider.

In written comments to HHS, Melinda Reid Hatton, AHA vice president, said hospitals had asked that HHS make available to covered entities information about violations, proposed solutions, and good practices in a form that did not identify violators. “Making information available in an unidentified format would allow covered entities to understand how the Office of Civil Rights and the Centers for Medicare & Medicaid Services interpret and apply the HIPAA regulations in specific cases and would encourage remediation of problems and violations discovered through the enforcement process,” she said.

“The information would enable covered entities to gain a better sense of the types of compliance problems that are occurring and the misunderstandings that exist regarding application of the HIPAA regulations,” Hatton explained.

But the notion that information about violations of HIPAA technical requirements is useful to consumers is flawed, she noted. “Consumers should not make their health care decisions based on HIPAA’s technicalities. These are irrelevant to the quality of care patients receive from a provider. As the number of complaints filed with the Office of Civil Rights for incidents that are not HIPAA violations suggests, many consumers do not understand these complicated rules,” Hatton added.

Moreover, she said, although health care consumers who are informed that a hospital violated the HIPAA medical privacy rule are likely to believe the hospital does not adequately protect patient privacy, most violations of the medical privacy rule are not the result of an impermissible use or disclosure of patient information and are likely to be only technical in nature.

AHA said it appreciates that compliance with technical requirements of the administrative simplification provisions, including the technical requirements of the HIPAA medical privacy rule, is important and that accrediting entities need to know of these facts. However, it said, the potential for seriously misleading the public about the meaning of the medical privacy rule violations where no impermissible use or disclosure occurred is an unwarranted and irresponsible policy.

Methodologies not easy to understand

Hatton also pointed out that the methodologies used to establish violations and penalties, such as statistical sampling and the number of days a requirement was not met, are not easy to understand. She cited an example of a potential publicized violation of a hospital that had 1,100 violations of the medical privacy rule in a 90-day period, when the violations would refer to nothing more than that the hospital was unable to document that its Notice of Privacy Practices was acknowledged by people admitted to the emergency department or that the department had determined that processes used to collect data for the accounting of disclosures with respect to 1,100 patients do not have all the details needed to comply with its guidance. “As a result,” she said, “a statement that Hospital A paid several thousand dollars in fines due to 1,100 violations of the privacy rule arguably is misleading and could panic individuals into distrusting their provider.”

In other comments, Hatton:

  • endorsed the department’s continued emphasis on voluntary compliance;
  • urged the Office of Civil Rights and the Centers for Medicare & Medicaid Services to fulfill the enforcement rule’s promise to “continue to work on educational and technical assistance materials, including additional guidance on compliance and enforcement and targeted technical assistance materials focused on particular segments of the health care industry”;
  • called on the government to provide more information to covered entities on the methodologies for establishing any violation and the amount of a penalty;
  • expressed concern that the proposed enforcement rule significantly restricts and limits a covered entity’s ability to present a defense and appeal an adverse ruling, including imposition of a civil monetary penalty.

[Download the comments from the HIPAA section of www.aha.org. Contact Melinda Hatton at (202) 638-1100.]