HIPAA Compliance Strategies

How Risky Is It to Ignore Requirements That Appear to Be 'Trivial'?

Reprinted from the January 2005 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

The HIPAA privacy rules require covered entities (CEs) to take certain steps that, with the benefit of nearly two years of post-deadline hindsight, appear to be somewhat trivial and unproductive. Some privacy officers have gone so far as to term them a "waste of time," because in many instances few patients evidently benefit from these time-consuming actions.

What are some of these "lesser requirements"?

• The accounting-for-disclosures requirement is among the least favorite privacy rules for many CEs, some of which have evidently not complied with the onerous mandate to maintain updated records each time PHI is lawfully disclosed for reasons other than treatment, payment or operations (e.g., to law enforcement, public health, researchers).
• CEs are supposed to discuss "minimum necessary" with law enforcement officials who request PHI, as police are supposed to represent that the information they are requesting is the minimum necessary. There is evidence to suggest that this is not happening at many nursing stations.
• Many providers are evidently not requesting/obtaining patient signatures to specifically acknowledge receipt of their notice of privacy practices.

Is There 'Real Liability' Here?

RPP asked several experienced privacy attorneys how risky it is for CEs to fail to comply with requirements that are seemingly trivial or unproductive in terms of achieving meaningful patient privacy. According to Reece Hirsch, with the San Francisco office of the firm of Sonnenschein Nath & Rosenthal LLP:

"The HIPAA privacy rule is generally very specific in its requirements, so it's usually not too hard to tell if you're out of compliance. It remains to be seen how rigorously the Office for Civil Rights (OCR) is going to enforce the rule. But, nevertheless, I think that it's dangerous for a covered entity to simply disregard any requirement as impractical or a waste of time — even though it may very well be impractical and a waste of time."

Information presented below is based on interviews with other privacy attorneys who chose to remain anonymous for this story.

The issue of whether to comply with federal requirements that are considered to be trivial is an area of great sensitivity. With some of the requirements cited above, it could be inferred that, as a practical matter, they will not be enforced by OCR, so CEs might conclude there is no need to get too worried about them. However, the law creates obligations and potential penalties, and there is always the possibility there could be a complaint, an investigation and a penalty imposed. And depending on the severity of it, the case could be forwarded to the Justice Department for further review and investigation.

That having been said, there have been thousands of complaints brought under the HIPAA privacy rule, and there hasn't been one civil penalty imposed yet. So, as a practical matter, the likelihood of the imposition of a civil penalty is very low. But that could change at any time, and no CE wants to be involved in the first case of a party that has failed to provide an accounting of disclosures, or to maintain the accounting of disclosures, or to fail to obtain signed receipts that privacy notices were received. So CEs need to be very careful.

RPP does not want to be in the position of suggesting that noncompliance is okay.…that, as a practical matter, CEs are not likely to be fined for failure to comply with certain requirements. However, one can certainly say that, in the year and a half since April 2003, there have been no fines imposed. It is also accurate to note that parties have suggested to OCR that they take another look at the accounting for disclosures requirement because it is so onerous, and patients have not been availing themselves of this right. While it may be an onerous, time-consuming costly obligation that has shown to be of little interest to patients, it is required and CEs will fail to comply at their own risk.

Health care organizations, as with entities in other industries, undertake cost-benefit analyses in terms of regulatory compliance. Risk management decisions are made as risks are identified, analyzed and managed, and resources are allocated based on which risks are likely to occur more often and create more liability and greater expense when they arise.

Regulatory compliance is a part of the cost-benefit analysis that any closely regulated company has to engage in. But regardless of the outcome of such an analysis, and steps taken as a result, if there is a subsequent compliance problem, and it turns out that a regulated entity did not do what it was supposed to do, there are real liability exposures to deal with.

Advertise With AIS

Privacy

Site Map