The HIPAA Privacy Rule is an aspect of HIPAA that does not necessarily receive much attention. Most of the recent settlements and breach actions related to violations of the HIPAA Security Rule. The Security Rule offers more glamour from the press perspective because cybersecurity, hacking and other activities attract headlines. However, as reported in a series of articles by Charles Ornstein at ProPublica,
However, as reported in a series of articles by Charles Ornstein at ProPublica, major deficiencies exist in compliance with the Privacy Rule. From some perspectives, the Privacy Rule is the easier piece of HIPAA to comply. The requirements, from the healthcare regulatory perspective, are fairly black and white. The Privacy Rule spells out exactly what covered entities (and to some extent business associates) must do in order to comply. Policies and procedures can be crafted almost word for word from the regulations.
Despite the relative ease with which compliance can occur, why are organizations failing to comply? Could it be that organizations do not fear enforcement by the Office for Civil Rights? In a recent episode of This Week in Health Law, Deven McGraw from the Office for Civil Rights provided some insights. Attorney McGraw suggested many privacy issues are resolved behind the scenes by direct contact between OCR and the particular entity. As such, issues are, being somewhat pessimistic, swept under the rug. Despite that history, Attorney McGraw hinted that OCR would and should be taking more action to penalize organizations for non-compliance.
With that backdrop, it is interesting that OCR announced a privacy related settlement on February 16th. Could the settlement with Complete P.T., Pool & Land Physical Therapy, Inc. (“CPT”) be the tip of the iceberg for privacy-related settlements? That may be the hope.
The CPT settlement, in which it paid $25,000, stemmed from its inappropriate use of patient testimonials. As revealed in the Resolution Agreement, CPT posted numerous patient testimonials, which included patient names and photographs, to its website without obtaining a valid authorization as required by HIPAA. Instead, CPT posted the information on its website for its own benefit. Interestingly, the Corrective Action Plan specifically directs CPT to remove the testimonials from its website.The activities identified in the CPT agreement date back to 2012. How could those testimonials not have been removed before now? Why did it last for so long?
The CPT settlement also follows a blog series on correcting some HIPAA privacy misunderstandings through the Office for the National Coordinator of HealthIT. The blogs have included posts about interoperability, permitted uses and disclosures, and most recently care coordination. The point is to highlight when protected health information can be sued permissibly under HIPAA. Which ties back to full understanding the Privacy Rule. As may be demonstrated by the CPT settlement, failure to comprehend and appropriately implement policies and procedures under the Privacy Rule may soon result in monetary pain.
Generally, more attention needs to be directed toward privacy compliance. In addition to the possibility of enforcement actions, organizations also need to get their houses in order before the long-awaited Phase 2 HIPAA audits begin. Given the well-known concerns about the lack of privacy compliance, organizations should review all policies and procedures to assess where they stand. Additionally, organizations should think twice before using patient information. Authorizations are necessary. The Privacy Rule is very clear on what needs to be in an authorization as well. Review the rule and get the form in proper order.