Compliance with HIPAA and the attendant privacy and security requirements is a frequent topic of discussion. Discussions around compliance are driven by the daily reporting of breaches and the probably more than daily issues faced by patients, clinicians and others when HIPAA is misinterpreted. In that face of all of these issues, there are not many options to turn to in order to obtain redress. Unless state law offers some alternative, HIPAA permits filing a complaint with an organization’s privacy officer, the Office for Civil Rights (OCR), or the applicable attorney general. With those options, complaints can then feel as though they disappear into a black hole.
Complaints are not just dismissed though. Many thousands result in some form of action, most often by OCR. The typical response from OCR is to send an investigative demand, usually by asking for documentation, to the “offending” organization, reviewing the responses, and then offering technical or other similar advice to address the situation. Following that resolution, OCR will notify the complainant about that generalized action taken.
The common scenario outlined above can leave many feeling dissatisfied though. The lack of overt public action and/or attention can perpetuate an impression that organizations are able to violate HIPAA with impunity. While so-called “behind the scenes” resolutions are the most frequent means of resolution, there can also be well-publicized settlement agreements and fines imposed.
When a complaint or issue results in a public settlement, the resolution agreement most often cites pervasive non-compliance with the HIPAA Security Rule. While a HIPAA Privacy Rule violation could be the genesis for the complaint or other issue, that will fall to the wayside when reading through the actions or omissions that really caught the attention of OCR. Does this mean that OCR is not as concerned with Privacy Rule issues, or just that compounding actions are needed before a fine will be imposed?
Regardless of the answer or response to some of the questions and issues posed above, the bigger underlying question is what is the purpose behind enforcement actions taken by OCR. Actions by states are not really being considered because those are even rarer than monetary penalties from OCR. Should organizations be called to task for violations of all stripes, or only especially egregious conduct called out? One’s response to that question will very likely be driven by the side that one is on.
From the perspective of organizations, the behind the scenes approach to resolution is probably preferred. That allows issues to be identified, guidance provided by OCR, and then changes implemented. At least that is the optimistic assessment and the hope of what happens for conscientious organizations. That should represent the majority of instances. The private resolution avoids unnecessary shaming and lets the organization move on.
From the individual perspective, more public attention and public resolution would likely be preferred. Issues can be pervasive, constant, disruptive. From that perspective, why should a resolution be reached without anyone being informed of what happened. For example, if an organization’s conduct is brought to the fore, maybe more reports will come that could justify a different response.
From OCR’s perspective, a blended approach is probably preferred. Realistically, the approaches are also constrained by staff and budgetary resources, which are not as high as would be preferred. Resolving the majority of issues by private resolutions enables education and guidance that aims to result in better overall compliance. When specific lessons are needed, then a public fine and settlement could be pursued. That balanced approach can serve multiple needs.
The suppositions from each perspective are purposefully brief and broad stroke. Getting specific input from anyone interested in this issue will be appreciated and help inform the debate and discussion. Let comments commence.