Private medical practices top the complaints of HIPAA violations, according to the Health & Human Services’ (HHS) Office of Civil Rights (OCR). As of May 31, 2005, the latest period for which records are available, there were 13,168 complaints nationwide about alleged HIPAA violations. Sixty-five percent of these complaints have already been closed by OCR.  

Following private practices, other entities most complained against include (in order) general hospitals, pharmacies, outpatient facilities, and group health plans. The most common complaints (as of 5/31/05) were impermissible uses and/or disclosures, inadequate safeguards, denial of access to records or charged excessive fees, failure to adhere to minimum necessary procedures, and failure to obtain a valid authorization where required.  

The most common closure reasons for 65% of the complaints filed include non-jurisdictional (non-covered entity or violation alleged predated 4/14/2003), allegation not prohibited by the Privacy Rule; and matter resolved through voluntary compliance and technical assistance.  

Healthcare entities are permitted to use and/or disclose personal health information (PHI) in order to carry out essential health care functions, such as treatment, payment, and health care operations.  

Civil Monetary Penalties (CMPs) can be imposed by OCR at $100 per violation. The CMPs are capped at $25,000 for each calendar year for each identical requirement or prohibition that is violated. The covered entity has a right to notice and a hearing before a CMP becomes final. Also, the Department of Justice (DOJ), which shares enforcement authority with HHS, can impose criminal penalties if an individual "knowingly" and "wrongfully" discloses health information. Fines and prison time range from $50,000 and one year in jail to $500,000 and 10 years in jail if the intent of the violation was for personal or commercial gain or to cause malicious harm.  

Many violations occur in situations that can be prevented, such as when staff talk among themselves when patients are within hearing, or visits are conducted in open exam rooms. Private practice staff members should concentrate particularly on areas where they have face-to-face interactions with patients, like ensuring that employees are not discussing PHI with those not involved in a patient’s treatment. 

Staff education and preparedness are also important to OCR, and if a patient complains about something, practices should work with them before the patients think of contacting OCR, in order to reduce the chances of being investigated. The best thing they can do is to respond quickly to a patient’s complaint and let the patient know what has been done to change policy to resolve the problem. 

Office staff should ask themselves where they are leaking information, and take steps to plug the leak. This can be done continually, not after a complaint has been filed. One common source of information leaks is phone calls. Staff needs to validate a person’s identity before releasing health care information over the telephone.

Much of HIPAA is common sense and is effective if communicated properly and clearly to all the parties involved, including staff members as well as patients. 

OCR will not consider a PHI disclosure a violation if it is incidental or accidental, as long as a practice has placed reasonable safeguards and adheres to the minimum required standard.  

For more information, please visit the HHS/OCR website at http://www.hhs.gov/ocr/HIPAA/ or call the OCR Privacy Toll Free Number at 866-627-7748. 

Want to suggest a topic for us to cover? Please email your ideas and suggestions to editor@saince.com.

Uniformity Project 
A group of payer and provider organizations has initiated a joint project to bring uniformity to the identification, communication and mitigation of health information technology security vulnerabilities. 

The project is called the eHealth Vulnerability Reporting Program. The group has formed working groups for the areas of communications, legal issues, vulnerability assessment and reporting. Membership is open to other payers and providers, as well as information technology and security vendors. 

Charter board members include:

• Catherine Peper, vice president of e-medicine at Blue Cross and Blue Shield of Florida in Jacksonville
• Augusta Kairys, vice president of provider relations at Highmark Blue Cross Blue Shield in Pittsburgh
• Paul Connelly, vice president and chief information security officer at Hospital Corporation of America in Nashville, TN
• John Halamka, MD, CIO at CareGroup Health System and Harvard Medical School in Boston
  • Daniel Nutkis, principal at DNI, a Dallas-based consulting firm
• Robert Mandel, MD, vice president of health care services at Blue Cross Blue Shield of Massachusetts in Boston.
• Robert Schaich, vice president and CIO at Sierra Health Services Inc. in Las Vegas. 

The goals of the initiative are to enable a dialogue on security issues between vendors and their users, and establish a uniform method for vendors to assess their system security and report findings. 

More information on the eHealth Vulnerability Reporting Program is available at www.ehvrp.org.    

Current Legislation 
House Resolution (HR) 4157 will require the Department of Health and Human Services (HHS) to adopt the ICD-10 coding system for claims transactions occurring on or after Oct. 1, 2009. It will also require adoption of version 5010 of the HIPAA standard for claims by April 1, 2009. The legislation will make major changes in how existing HIPAA transaction standards are updated. It will eliminate the requirement for proposed and final rules in order to speed up the adoption of updated standards. The standards organizations would develop updates and accept public comments before finalizing. The standards organization updating a transaction would be required to explain which recommendations made during the comment period were not accepted and why. Anyone who made a recommendation that was not accepted would have the right to appeal and meet with the standards organization. The text of HR 4157 as amended in subcommittee will be available at http://www.congress.gov. 

The development of an electronic health records “bank” was recently called for in the Senate. The Independent Health Record Bank Act would call for the “bank” to be modeled on the financial networks that are used by credit card companies and retail banks. The bill will create an electronic records network that will be operated by non-profit groups. Patients would own their medical records and have the option of selling their health record data on a “blind basis” to research firms. Revenue from the information sales would be split between the patients and health record bank, and it would be tax-free. More information is at http://brownback.senate.gov/LIHealthCare.cfm. 

An upcoming bill would authorize the National Science Foundation (NSF) to award grants to colleges and universities for research on enhancing healthcare informatics. Rep. David Wu (D-Ore.), would like to see the funds used to develop multidisciplinary centers for Health and Medical Informatics Research Centers, and for the NSF to provide funds for students studying healthcare informatics, and support improved technical training and education in that field.   

AFEHCT and HIMSS to Unify 
The Healthcare Information and Management Systems Society (HIMSS) and the Association for Electronic Health Care Transactions (AFEHCT) have agreed to form the HIMSS AFEHCT Business Information Systems Initiative, which will combine the subject matter and expertise of AFEHCT and the organizational strength of HIMSS. The HIMSS AFEHCT Business Information Systems Initiative will become a membership subgroup within HIMSS, whose staff will coordinate and implement activities recommended by AFEHCT leadership. The strengths of both organizations will be combined to promote the best use of information and management systems for the betterment of health care in both administrative and clinical areas.

Page1 | Page2