HIPAA Enforcement Improving patient access and reducing improper disclosures BY STEVEN SELDE


The Health Insurance Por- tability and Accountabil- ity Act of 1996 (HIPAA) and its Breach Notifica- tion, Privacy, and Secu-

rity Rules are well-known to health care providers and facility administra- tors. The lesser known Enforcement Rule contains provisions relating to investigations, hearings and penalties and takes effect when, despite a facil- ity’s comprehensive and well-docu- mented HIPAA compliance program, something goes wrong. Observing the Enforcement Rule process can provide valuable lessons as your ASC evalu- ates its HIPAA compliance program. The Office for Civil Rights (OCR) of the US Department of Health and Human Services is responsible for enforcing the HIPAA Privacy and Secu- rity Rules. OCR investigates filed com- plaints, conducts compliance reviews and performs education and outreach to achieve this goal. When OCR accepts a complaint for investigation, OCR noti- fies the person who filed the complaint and the covered entity named in it. OCR then asks the complainant and the covered entity to present information about the incident. Covered entities are required by law to cooperate with com- plaint investigations. The beginning of an OCR investi-

gation is a critical period during which covered entities should demonstrate that they take HIPAA obligations seri- ously and do their best to take cor- rective actions immediately. This is important because investigations can extend beyond the initial complaint and become an opportunity for a com-

provisions occur. In very rare cases, OCR may impose civil penalties on the covered entity and violators may face criminal penalties or exclusion from federal health care programs.

plete audit of a covered entity’s com- pliance program. OCR has a pattern of resolving investigations through vol- untary compliance, and the end result of an investigation often depends on how the covered entity responds. If the evidence indicates that the

covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining the covered entity’s voluntary compli- ance, providing technical assistance to the covered entity or imposing a corrective action plan and/or resolu- tion agreement. Since April 2003, the vast majority of complaints have been resolved without a corrective action plan or resolution agreement, as illus- trated in the graph on page 20. Despite this history, ASCs need

to take HIPAA compliance seriously. HIPAA violations carry stiff penal- ties, with a range of $100 to $50,000 per violation and even higher penal- ties if multiple violations of multiple

Examples of Real Investigations Designing a comprehensive HIPAA compliance program requires a signifi- cant investment of an ASC’s resources to ensure that the Security, Privacy, and Breach Notification Rules are thor- oughly addressed. Analyzing previous OCR investigations can assist an ASC in reducing human error and short- comings in a compliance program. The most common basis for HIPAA com- plaints involves impermissible uses or disclosures of protected health infor- mation (PHI). The following examples detail what led to the improper dis- closure or use of PHI and the actions a covered entity took to comply with OCR’s investigation.

Improper Disclosures to Law Enforcement What Happened: A pharmacy dis- closed PHI to municipal law enforce- ment officials in a manner that did not conform to the provisions of the Privacy Rule.

Result: OCR required the pharmacy to revise its policy regarding law enforce- ment’s access to PHI to comply with the Privacy Rule requirements, includ- ing a provision that disclosures of PHI to law enforcement be made only in response to written requests unless state law requires otherwise.

Takeaway for ASCs: This example illustrates two important points. First,

This information is for educational purposes only and should not be construed as legal advice. For specific questions related to this topic or other HIPAA-related concerns, please consult legal counsel.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34