Enforcement: Privacy Complaints Filed Steadily Through 2003, Early 2004

 

Subject: Enforcement: Privacy Complaints Filed Steadily Through 2003, Early 2004

 

Reprinted from the February 2004, issue of REPORT ON PATIENT PRIVACY, an authoritative monthly report on the radical changes in patient health information. For more information go to http://www.aishealth.com/Products/RPP.html.

  

The public has steadily submitted HIPAA privacy complaints to the Department of Health and Human Services Office for Civil Rights (OCR) at a rate of roughly 100 per week. And OCR foresees no slowdown in the rate of complaints in the immediate future.

 

Through the end of 2003, OCR had received 3,745 complaints from individuals alleging an inappropriate use of protected health information (PHI), or inappropriate restrictions placed on PHI. And that total has risen to more than 4,000 since the start of the year. OCR has closed the investigation on 40% of the complaints it has received. The remainder is still under investigation, according to Susan McAndrew, senior policy advisor at OCR.

 

McAndrew briefed the National Committee on Vital and Health Statistics (NCVHS) at its January meeting in Washington, D.C., about the progress of its enforcement efforts since the HIPAA privacy rule went into effect in April 2003.

 

Three Categories of Open Cases

Of those cases in which OCR determines the complaint is a valid candidate for follow-up, the cases most often fall into three categories.

 

·         Impermissible disclosure of PHI. These cases often involve an individual who believes information about his or her PHI has been given out to a third party inappropriately in the course of treatment.

 

·         Lack of physical safeguards protecting PHI. Complaints in this category deal with providers leaving information in publicly accessible areas, such as charts left in reception areas or computer screens left exposed to patients.

·         Inappropriate accessing of PHI. OCR has received complaints that, within some organizations, PHI is being accessed for nontreatment-related reasons, such as employee curiosity about a patient.

 

McAndrew said complaints most often target physician practices, followed by hospitals, pharmacies and health plans.  To date, McAndrew said, OCR had not sought civil monetary penalties or other official sanctions in the cases it has investigated. That's

largely because of covered entities' responses to investigators. "The covered entities have really been very cooperative," she said. Organizations readily strengthen their practices or implement training efforts in response to complaints that are raised by OCR.

McAndrew said she could not provide a more detailed breakdown of statistics involving complaints because OCR's data collection methods allow for variability in the way complaints are categorized. She said, however, that the agency is attempting to improve its categorization of complaints to provide a clearer picture of where compliance problems are arising.

 

Common Reasons for Closed Cases

McAndrew highlighted the most common reasons why cases were closed:

OCR closed more than half of the cases that it has closed because it determined it lacked jurisdiction. Often the events described in the complaint occurred before the April 2003 compliance deadline. OCR does not review complaints that deal with events before the deadline.  OCR also closes many complaints because they are lodged against noncovered entities. In this category, McAndrew said her office has received numerous complaints against noncovered entities, frequently from employees who say their PHI has been released into workplace discussions. Unless OCR determines that the release can be traced to a covered entity, it does not follow up on the complaint.

 

The third most common complaint that is closed involves cases in which there is no HIPAA violation, but often OCR is able to assist in clarifying a misconception. For example, some complaints have alleged a hospital refuses to let someone know if his or her spouse has been admitted, or some physicians have refused to share patient records with another consulting physician. In those cases, McAndrew said, the providers are pursuing a policy that is not a violation of HIPAA, but their policies required under HIPAA.  "In many cases, we've been able to assure providers that these are permissible disclosures of PHI," she said. "We've seen a lot of confusion in the area of overcompliance, if you will."

 

 

No Audits on the Horizon

In 2004, OCR expects to complete work on its final rule covering procedures for seeking civil money penalties. Currently, its actions are governed by an interim final rule published in spring 2003. The final rule will provide greater detail about the protections afforded covered entities in cases where civil money penalties are sought. In addition, the final rule will include responses to some of the comments submitted about the interim rule.

 

Richard Harding, M.D., a member of NCVHS, asked McAndrew whether OCR plans to begin auditing covered entities to look for violations, rather than waiting for complaints to come forward.  OCR has the authority to conduct proactive compliance reviews. But it has not yet trained a workforce to conduct those reviews and said it has no plans to start conducting them on a routine basis.  "Right now, we have no plans to use that authority, other than to investigate a situation that is brought to our attention in some way other than through a complaint," she said. For example, OCR might use its audit powers in response to an anonymous tip or news account of a privacy violation.