Attendees at HIPAA Forum gathered to hear the latest on compliance, implementation, and enforcement—and allay their fears.

Judging from the repetitive nature of audience queries at each session, there were essentially two questions on the minds of the hundreds of attendees at the recent Health Insurance Portability and Accountability Act (HIPAA) Implementation Forum, sponsored by the Health Care Compliance Association (HCCA) and Advancing Health in America: How severe will the punishment be for noncompliance with the HIPAA privacy rule; and will the rule lead to a deluge of patient complaints and new lawsuits?

And while the keynote speakers and other session leaders at the conference, held in San Diego, December 10-11, did not dispel these fears completely, they did provide comprehensive education about the rule and specific strategies to ensure successful integration of HIPAA compliance into existing programs.

The goals of the 2-day forum were to initiate dialogue on best practices of compliance by presenting case studies; develop benchmarks from which participants could evaluate compliance efforts; and help attendees identify strategies for working with key departments such as medical records, Internet technology, nursing, billing, and registration to integrate compliance training, implementation, and monitoring.

Regulator Calms Enforcement Fears
The conference’s first speaker, Alex Azar, general counsel of the US Department of Health and Human Services, offered a federal regulator’s perspective on privacy. “This is a system of privacy regulation that is based on common sense,” Azar said of the rule.

Among other topics, he addressed the recent Research Provision modifications, which were published in August. “We heard a lot of complaints from people, that the original provision was too complex,” he said. “The original eight criteria were called confusing and redundant. We have streamlined these criteria, and also eliminated certain requirements.” In particular, the research modifications now include a single set of requirements that apply to all types of authorizations, including those for research purposes. This eliminates the specific provisions for authorizations for uses and disclosures of protected health information created for research that includes treatment of the individual. As a result, an authorization for such research does not require any additional elements above and beyond those required for authorizations in general.

Also, Azar said the requirement that there be an expiration date on research authorizations has been modified, stemming from complaints that the particular end date of a research study may not have been known under the previous regulation.

Azar’s response to the numerous questions about enforcement sought to reassure attendees. “We are not going to have auditors sweeping down on hospitals and health care groups. It will be entirely a complaint-driven process,” he said. “As an organization, we have limited resources, too. We will prioritize the enforcement. Complaints have to be well-founded.”

OCR Manager Addresses Enforcement
Azar’s address was followed by an “Enforcement Perspective on HIPAA,” led by Ira Pollock, JD, regional manager for the Office of Civil Rights, US Department of Health and Human Services, San Francisco.

Like Azar, Pollock tried to reassure attendees that enforcement should not be feared. “Historically, most complaints to our organization have been informally resolved. We really stress voluntary compliance,” he said. However, his address went on to clearly spell out the consequences of noncompliance. Among his key points:

  • The privacy rule will be enforced by complaints filed by patients who believe they have been discriminated against. OCR will look at compliance reviews from tips, and review any program that receives HHS funds.
  • Complaints must be filed within 180 days of an incident.
  • Complaints must be in writing.
  • OCR has “delegation of authority to enforce the rule,” and to impose civil monetary penalties.
  • Organizations are required to permit access without notice to their facilities, as well as access to the appropriate books, records, and anything pertinent to compliance.
  • After that, there is a penalty of $100 per violation, with a $25,000 cap for each calendar year.
  • However, the Department of Justice can impose up to $50,000 in fines and 1 year in jail for knowingly obtaining or disclosing information.

Research, Security, and the Internet
Among the other presentations at the forum, the most well-attended included a session on HIPAA and Research, a session on Privacy and Security, and a session on HIPAA Wseb-based strategies. The first contained a detailed review of the sections of the rule related to research, as well as the research site’s perspective on HIPAA implementation. Research requirements that were covered included this information:

  • Covered entities must provide detailed notices of their privacy policies and practices to study participants.
  • They must provide physical, technical, and administrative security.
  • They must allow data subjects to access and correct protected health information about themselves.
  • The August 14, 2002, revisions are practical and appropriate and will reduce HIPAA’s negative impact on research.

The Privacy and Security session, led by Alan S. Goldberg, a partner with Goulston & Storrs in Boston, described the likely offenses and best defenses when HIPAA enforcement starts. The session also presented the federal sentencing guidelines and corporate compliance programs in detail. Goldberg gave the following advice on what organizations should do to avoid civil HIPAA penalties:

  • Use reasonable diligence to know as much as you can about HIPAA.
  • Establish policies that evidence a reasonable approach to prevention.
  • Avoid being neglectful or reckless.
  • Try to cure breaches within 30 days.
  • Ask for extensions if necessary.
  • Seek technical advice if necessary.
  • Document everything.

In addition, a HIPAA Web-based strategies session, led by Evan Crawford, director of Internet strategies for the Children’s Hospital of Philadelphia, gave attendees practical techniques for using the Web to reduce time, cost, and frustration during HIPAA implementation. “There are two specific regulations, privacy and security/electronic signatures, that require staff training,” said Crawford, who suggested companies look into using Web services concepts that introduce a single Web-based model for transaction and security. Also discussed were strategies for leveraging HIPAA compliance to add value to e-health and e-commerce initiatives.

Ben Van Houten is associate editor of The Hearing Review magazine.

Web Resources
The following Web sites contain comprehensive, up-to-date HIPAA information:

  •  The HealthCare Compliance Association site.
  •  The Health Care Information and Management Systems Society site contains HIPAA information specifically for information technology administrators.
  •  Offers the final privacy rule regulations.
  •   The site offers links to the final transaction sets and codes along with an FAQ section on implementation.
  •  The Health Insurance Association of America (HIAA) offers a HIPAA privacy primer with legal interpretations from a broad health care perspective.
  •   A professional organization offers a series of articles on executing HIPAA regulations.