March 5, 2007
Is There Bite to HIPAA’s Privacy Rule?
By Selena Chavis
For The Record
Vol. 19 No. 5 P. 12
Chew on this: 24,000 HIPAA-related complaints, zero fines to covered entities. Sounds like a toothless rule, but some say misconceptions mask the fact that it’s doing its job.
It’s been the typical scenario for valid privacy complaints under HIPAA, say many legal experts. Consider that a nurse leaks sensitive information about a patient’s health status to someone outside the scope of the person’s medical care. Whether malicious or accidental, it’s a privacy breach that definitively falls under the protection of the HIPAA privacy rules that were fully enacted in 2003, says attorney Heather Fesko, partner with Chicago-based McGuireWoods law firm.
In this real-world scenario offered by Fesko, a complaint was filed with the Office for Civil Rights (OCR) of Health and Human Services (HHS) by the individual who was the subject of the privacy breach. HIPAA requires that the complaint be filed against the covered entity where the offense occurred rather than an individual—in this case, a hospital client of McGuireWoods.
In an effort to show voluntary compliance, the hospital submitted a plan for necessary corrective action to the HHS. The plan satisfied the HHS, and a letter of closure was submitted to the hospital.
“Individuals have filed complaints, but usually what [HIPAA] has done is seek an appropriate corrective action plan,” Fesko says, adding that the example provided has been very much the norm in her experience.
In April of this year, the HIPAA implementation cycle will be four years in the making. As of January 23, there had been 24,000 HIPAA-related complaints filed with the OCR, and at that time, no covered entities had been issued a Civil Monetary Penalty (CMP), leaving many legal and healthcare professionals wondering whether the privacy rules have any teeth.
“There’s been not one civil action taken,” says Janlori Goldman, senior advisor with Manatt Health Solutions and founder of the Health Privacy Project, an organization dedicated to raising public awareness of the importance of ensuring health privacy. “They were intended to be set up for investigations … enforcement.”
Barry Herrin, a healthcare and privacy law attorney with Raleigh, N.C.-based Smith Moore, LLP, believes the lack of civil action may diminish the rules’ effectiveness as entities realize the consequences amount to not much more than a written warning. Noting that there was an initial ramp up by healthcare providers to prepare for the new rules, Herrin says many are wondering why they put so much time and resources into preparation.
“What the government has said is that they are not going to enforce vigorously until everyone has it figured out, but we’re four years out,” he says. “It costs a lot of money. You had to change or adopt new processes—we’ve had clients who have spent $100,000 on this.”
Emphasis on Voluntary Compliance
A 2005 survey released by the California HealthCare Foundation revealed that 67% of Americans are concerned about the privacy of their personal health information but are largely unaware of their rights under the HIPAA privacy rule.
Enacted to regulate the use and disclosure of individually identifiable health information, the privacy rule provides the first national standards for protecting the privacy of health information. Among other provisions, it gives patients more control over their health information, sets boundaries on the use and release of health records, and establishes appropriate safeguards that the majority of healthcare providers must achieve.
It also holds violators accountable through civil and criminal penalties that can be imposed if they violate patients’ privacy rights, raising the question: Why have there been no invoked penalties?
The scope of HIPAA allows for CMPs of up to $100 per violation and up to $25,000 per year for each requirement or prohibition violated. Criminal penalties apply for certain actions such as knowingly obtaining protected health information in violation of the law. Criminal penalties can reach up to $50,000 and one year in prison for certain offenses; up to $100,000 and five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and 10 years in prison if the offenses are committed with the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm.
According to an HHS spokesperson, of the 24,000 complaints filed, it was deemed that the department had no jurisdiction over one half of them for various reasons. “The big misconception is that we have jurisdiction over every complaint that comes through,” he notes.
Of the remaining complaints, it was deemed that the covered entity was not at fault in 2,000 cases, and 4,000 were closed after the entity submitted plans for voluntary compliance. There are currently more than 5,500 still under investigation.
Emphasizing that voluntary compliance has been the objective of the department’s initial efforts to enforce the rules, the spokesperson notes, “If you’re working with a covered entity and they are showing a plan for remediation, that’s a positive.”
Attorney Kevin Paul, HIPAA privacy expert with Denver-based Parsons, Heizer, and Paul, notes that the HHS never really considered that CMPs would be the initial course of action toward their efforts to enforce compliance. “In part, that made sense due to the size of the privacy rule,” he says, adding that the rule is filled with jargon and many new processes and procedures. “It was thought that there might be some misconceptions about the scope of the obligations.”
Paul believes that, in general, there is also an assumption that most covered entities are very concerned about patient privacy and many complaints were technical in nature, making voluntary compliance the most advantageous solution. “That’s where the enforcement rule provides plenty of stick—to back up voluntary compliance,” he says, emphasizing that plenty of verbiage in the rule allows for civil penalties in cases where voluntary compliance is not effective.
Paul added that in his experience, clients are indeed concerned about the potential for fines. “I would not take the position that people take this as a toothless rule,” he says. “People do take it seriously and continue to take it seriously. The fact that you don’t see egregious violations and big fines could be based on the fact that people are doing the right thing.”
A clear picture of whether entities are doing the “right thing” is exactly what is missing from the HHS, says Goldman. Relaying that there is currently no hard data available from the HHS that details the nature or severity of the complaints or the number of repeat offenders, Goldman emphasizes that it’s impossible for the general public or entities such as the Health Privacy Project to know whether voluntary compliance is truly addressing the problem.
“It would be great if OCR would audit how the voluntary compliance is working,” she says, adding that without any civil enforcement actions, the only big enforcement news has been on the criminal front involving the U.S. Department of Justice (DOJ).
The HHS spokesperson also referenced these cases, noting that complaints considered more criminal in nature are most often referred for review by the DOJ. Since HIPAA, three criminal cases have been filed by the DOJ invoking HIPAA, two of which ended in convictions.
In 2004, the U.S. Attorney in Seattle announced that Richard Gibson was being indicted for violating the HIPAA privacy law. A lab assistant in a local hospital, Gibson accessed the medical records of a person with a terminal cancer condition then applied for credit cards in the patient’s name, running up more than $9,000 in charges. Gibson signed a plea agreement and was sentenced to 16 months in jail.
In the second DOJ prosecution under HIPAA, a Texas woman was convicted in federal court after pleading guilty to felony charges of wrongful use of unique health identifiers. Liz Arlene Ramirez of Alamo, was arrested after agreeing to sell individually identifiable medical information about FBI agents to an informant she believed to be working for a drug trafficker.
Goldman believes waiting for the DOJ to provide enforcement is a “clear misreading of the law. The law gives [HHS] the ability to enforce,” she says.
Misconceptions
The HHS believes part of the misunderstanding surrounding HIPAA enforcement rests with the fact that there are misconceptions about the jurisdiction and scope of HIPAA.
Herrin concurs, adding that a recent opinion issued by the DOJ’s Office of Legal Counsel (OLC) limits the scope of HIPAA to “covered entities.” These covered entities are defined as healthcare providers, health plans (insurers), and healthcare clearinghouses but not individuals.
Herrin noted a case in Georgia where an employee tested positive for marijuana. A manager called the employee’s son explaining that the father was fired due to drug addiction. The father wanted to sue the employer under the auspices that his privacy rights were violated, but in this case, Georgia law followed the scope of HIPAA. The employer would have to be a healthcare provider to be considered a “covered entity.”
Herrin says there is a lack of consistency from state to state as to how privacy rights are protected, adding more difficulties to the overall scope of enforcing HIPAA. “Some states have no protection, some midlevel … there’s no standard. Every state is different,” he emphasizes. “It’s all over the place as to how medical information moves around. If state law provides more access, HIPAA is not going to apply.”
What Will It Take?
The HHS, through the OCR, is given the job of civil enforcement of the HIPAA privacy rule. The statute does not create a private right of action—which means a person whose medical record is disclosed cannot take legal action against a covered entity. Instead, they can file a complaint through the OCR.
Since no civil action has been taken by the HHS to date, many legal experts believe there is a need for a private right of action to make covered entities take HIPAA seriously. “The feds are going to have to allow a direct right of action in regards to HIPAA,” Herrin says, adding that it’s unfortunate that it will take such effort to enforce rules. “That’s the worst way to make law, but until there are fines and publicity, it’s not going to be seen as important.”
Paul believes allowing a private right of action will open the door to thousands of frivolous lawsuits that could have been avoided. “Most people who feel they have had their privacy violated generally seek correction from the covered entity,” he notes, adding that many privacy issues are resolved before they ever reach the OCR complaint process. “If a patient is concerned, my experience is that the patient will call the hospital with a complaint. At which point, the privacy officer will do everything possible to address the complaint.”
Fesko suggests that while enforcement seems to lack bite on the federal level, there are cases occurring on the state level that suggest HIPAA may be setting a standard. While HIPAA’s lack of a private right action precludes individual legal action, there are opportunities for bringing action in cases where identifiable health information has been disclosed, in violation of other state laws that directly or indirectly protect the privacy of such information.
Herrin agrees, emphasizing that “if there is a robust state privacy statute, patients have the right to sue.” The HIPAA privacy rule generally preempts state laws that are contrary to its provisions, except in certain circumstances that include state laws that are more stringent.
Fesko believes that if there were more focus on individuals rather than covered entities, it would be easier for covered entities to enforce HIPAA. The OLC opinion does find that the law can apply to a few individuals, including certain directors, officers, and employees who may be criminally liable. The opinion emphasizes that criminal liability will apply especially when “the agents act within the scope of their employment.” For example, in a case where a covered entity makes a decision to sell patient data in violation of HIPAA, employees who act criminally but within their job description could be criminally liable.
— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications covering everything from corporate and managerial topics to healthcare and travel.