What’s the Goal: HIPAA Enforcement

Maze and labyrinth

Compliance with HIPAA and the attendant privacy and security requirements is a frequent topic of discussion. Discussions around compliance are driven by the daily reporting of breaches and the probably more than daily issues faced by patients, clinicians and others when HIPAA is misinterpreted. In that face of all of these issues, there are not many options to turn to in order to obtain redress. Unless state law offers some alternative, HIPAA permits filing a complaint with an organization’s privacy officer, the Office for Civil Rights (OCR), or the applicable attorney general. With those options, complaints can then feel as though they disappear into a black hole.

Complaints are not just dismissed though. Many thousands result in some form of action, most often by OCR. The typical response from OCR is to send an investigative demand, usually by asking for documentation, to the “offending” organization, reviewing the responses, and then offering technical or other similar advice to address the situation. Following that resolution, OCR will notify the complainant about that generalized action taken.

The common scenario outlined above can leave many feeling dissatisfied though. The lack of overt public action and/or attention can perpetuate an impression that organizations are able to violate HIPAA with impunity. While so-called “behind the scenes” resolutions are the most frequent means of resolution, there can also be well-publicized settlement agreements and fines imposed.

When a complaint or issue results in a public settlement, the resolution agreement most often cites pervasive non-compliance with the HIPAA Security Rule. While a HIPAA Privacy Rule violation could be the genesis for the complaint or other issue, that will fall to the wayside when reading through the actions or omissions that really caught the attention of OCR. Does this mean that OCR is not as concerned with Privacy Rule issues, or just that compounding actions are needed before a fine will be imposed?

Regardless of the answer or response to some of the questions and issues posed above, the bigger underlying question is what is the purpose behind enforcement actions taken by OCR. Actions by states are not really being considered because those are even rarer than monetary penalties from OCR. Should organizations be called to task for violations of all stripes, or only especially egregious conduct called out? One’s response to that question will very likely be driven by the side that one is on.

From the perspective of organizations, the behind the scenes approach to resolution is probably preferred. That allows issues to be identified, guidance provided by OCR, and then changes implemented. At least that is the optimistic assessment and the hope of what happens for conscientious organizations. That should represent the majority of instances. The private resolution avoids unnecessary shaming and lets the organization move on.

From the individual perspective, more public attention and public resolution would likely be preferred. Issues can be pervasive, constant, disruptive. From that perspective, why should a resolution be reached without anyone being informed of what happened. For example, if an organization’s conduct is brought to the fore, maybe more reports will come that could justify a different response.

From OCR’s perspective, a blended approach is probably preferred. Realistically, the approaches are also constrained by staff and budgetary resources, which are not as high as would be preferred. Resolving the majority of issues by private resolutions enables education and guidance that aims to result in better overall compliance. When specific lessons are needed, then a public fine and settlement could be pursued. That balanced approach can serve multiple needs.

The suppositions from each perspective are purposefully brief and broad stroke. Getting specific input from anyone interested in this issue will be appreciated and help inform the debate and discussion. Let comments commence.


About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Business, Compliance, Healthcare, HIPAA, HITECH, Regulations and tagged , , , , , , . Bookmark the permalink.

2 Responses to What’s the Goal: HIPAA Enforcement

  1. Pingback: What’s the Goal: HIPAA Enforcement - HITECH Answers: HIPAA, MIPS, EHR, Cybersecurity News

  2. Susan A. Mitchell says:

    I would just once like to see someone tackle the issue of off-shoring of our medical records. Transcription companies are doing this to save money – as transcriptionists in various areas overseas will work for even less than we American workers do. But at what cost? Is HIPAA enforceable in any other country? I have been told no, yet the practice continues – continues to possibly endanger the patient’s privacy and continues to degrade our profession. Medical records go for a good price on the black market/dark web because there is so much information contained in them. When are you going to take measures to protect those patients who have no idea whatsoever what is going on with all of their private information?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s