HIPAA Compliance Strategies

Lack of HHS, Justice Dept. Coordination Hampers HIPAA Privacy Enforcement

Reprinted from the January 2007 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

The HHS Office for Civil Rights says it has no real idea why the Department of Justice (DOJ) has failed to act on any of the privacy cases OCR has referred for possible criminal prosecution. That's because DOJ officials don't tell OCR why a case is closed; they just give notice that it has been closed, according to OCR.

Susan McAndrew, OCR senior advisor for health information privacy policy, made this startling statement in public comments before the National Committee on Vital and Health Statistics (NCVHS), a government advisory committee monitoring implementation of the privacy rule.

OCR is responsible for civil enforcement of the privacy rule, and DOJ is responsible for criminal. Since the rule took effect, DOJ negotiated three plea agreements for violations of the rule, but none were based on OCR-referred complaints. OCR has not imposed any fines, and both agencies are the subject of ongoing criticism. A new Democratic-controlled Congress is taking office this month for this first time since the rule was passed, and members are likely to hold oversight hearings as to why there has been no action by either agency.

At the meeting in late November, an NCVHS committee member asked McAndrew how OCR addresses allegations of lack of enforcement of the rule by either OCR or DOJ.

McAndrew replied that DOJ officials "don't investigate all of the referrals" that OCR sends to it." She added, "But the FBI offices across the country have taken on a number of these investigations — and we simply are not privy to how that all works out."

She said she thinks the 350-some complaints that OCR has referred to DOJ "are more technical in nature, given the language of the statute and what comes within DOJ's jurisdiction." McAndrew added that these cases "wouldn't register on many radar screens as a truly egregious criminal act."

This was surprising news; it was assumed possible criminal cases would reflect more severe violations of the rule. But even that was conjecture. Until recently, OCR did not reveal the number of complaints it refers to DOJ, giving these cases a kind of an allure.

DOJ Cases Are a Source of Mystery

Many in the privacy community, hungry for any shred of guidance from OCR, believed that these cases would reveal some new insights if only OCR would provide details about them.

Apparently not. McAndrew made it plain that these cases don't contain much usable data. For one thing, OCR does not review the cases before it sends them to DOJ.

"These cases are largely referred based on the complaint itself, because they do allege an activity that is serious enough to warrant DOJ to consider a criminal investigation," she said. "But that is all they are."

Committee member Mark Rothstein seemed incredulous. "You have not investigated those cases," he said. "We have not investigated those cases," McAndrew replied.

In comments to RPP, Rothstein, chair of NCVHS's privacy subcommittee, lamented this fact. "I would prefer that OCR took a more active interest in these cases, including reviewing the DOJ dispositions," Rothstein said. "Assuming that OCR reviewed them in advance of referral to DOJ, one could argue that cases OCR considered potentially serious enough to refer to DOJ for possible criminal prosecution would be the most appropriate cases for possible civil penalties in the event DOJ chose not to proceed."

Yet, since there have been no penalties from either agency based on a complaint, "clearly, the policies of DOJ and OCR are not designed for vigorous enforcement of either the criminal or civil sanctions under HIPAA," he added.

Rothstein, director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine, told RPP he understood the process of referral and presumed that DOJ probably kicks out cases on the same basis that OCR does.

"OCR does not screen the cases before sending them to DOJ. My understanding is that if there is conduct alleged in the complaint that arguably violates the criminal provisions of HIPAA, it is sent to DOJ," he said. "I'm sure many of these cases are not pursued for the same reasons that OCR terminates its investigations, for example, lack of jurisdiction."

He speculated on another reason — DOJ and OCR don't agree on whether people can be prosecuted under HIPAA. "DOJ's policy that individuals may not be prosecuted under HIPAA because they are not covered entities also probably results in many dismissals of complaints," he said.

McAndrew defended OCR, saying that just because OCR has not imposed any penalties, that doesn't mean enforcement has been lax - a sentiment OCR has repeatedly expressed.

"From our perspective, that is not a measure of the vigor with which we investigate cases or achieve enforcement activities, McAndrew said. "Many of the actions that we have achieved through voluntary compliance...we consider to be active enforcement of the rule, and we are quite proud of our record in terms of getting things fixed for individuals as well as for others systemwide."

She added that OCR doesn't entirely dispense with the rejected DOJ cases.

OCR will "take that case back" and determine "whether there are aspects of that case that are within our civil jurisdiction, and we do try to investigate those cases so that they.[are] not something that simply falls through the cracks," McAndrew said.

At the meeting, Rothstein and several other NCVHS members agreed to meet with McAndrew some time in the next two months "to take a closer look" at the DOJ-referred cases to see what can be learned.

New OCR Data Are Released

NCVHS members routinely push McAndrew to provide some information stemming from the complaints that might provide guidance for privacy officials.

McAndrew generally just gives a basic report on complaints, and the November meeting was no exception. She gave the following data:

As of Oct. 31, 2006, OCR had received 23,268 complaints, and "closed" 76% of them without action. Of the remaining 24%, OCR "obtained change or action" in 68%, and found no violation in the remaining 32%. The most common form of OCR intervention was technical assistance.

As with previous reports, McAndrew listed the top five reasons for complaints:

• Impermissible uses/disclosures of PHI,
• Lack of adequate safeguards to protect PHI,
• -- Refusal or failure to provide individuals with access to or copy of records,
• Disclosing more than the minimum information necessary to satisfy a particular request for information, and
• Failure to obtain a valid authorization for a disclosure that requires one.

She also listed the most common entities complained against, which were private health care practices; general hospitals; outpatient facilities; group health plans and insurance firms; and pharmacies.

OCR to Tackle 'Dumpster' Cases

Pharmacies involved in so-called "dumpster cases" have actually consumed a fair amount of OCR attention, McAndrew said. In November, an Indianapolis television station reported it had found protected health information on medicine bottles and records in dumpsters in more than dozen cities. The station brought the dumping to the attention of OCR and state authorities.

"Curiously, one of our very first complaints that we got back in April `03 was a dumpster case, and they have just continued to crop up from time to time," McAndrew said. "This is something that is really easy to stop, and we are hoping to get people to focus a little bit of attention to stop these kinds of activities. There is no reason for it."

McAndrew said OCR was "giving some attention, and would continue to give some attention in the coming months to getting some wider spread corrective action attention to record abandonment."

And she promised other help was on the way from OCR.

"There are a variety of things we are looking into," McAndrew said, including "using the case information to establish more of a best practice kind of information" tool.

She said posting this kind of information on OCR's Web site is something the agency is "actively looking into." OCR could "have prominent cases posted and have resolutions put up there as well, where we think [corrective actions] have been particularly effective."

In this way, OCR would be "getting the word out," while providing examples of "things to look for in your own situation to try and prevent" infractions. For entities that have faced similar situations, the information about such incidents would reveal the "ways that other people have sought to fix them."

"These are all good uses of complaint information," McAndrew told the subcommittee, "and they're all being discussed in terms of things that OCR can implement in the future." She did not provide any timeline for completion of these efforts.

"At public sessions, covered entities have complained to OCR that the lack of enforcement translates into lower effort at HIPAA compliance," said Peter Swire, a law professor at the Ohio State University and former chief counselor for privacy in the Office of Management and Budget under the Clinton administration.

"With over 1 million covered entities, there needs to be a clearer signal that HIPAA is being enforced," he asserted.

"The lack of coordination between HHS and DOJ gives one more reason why the new Congress should look into the HIPAA enforcement system," Swire said.

"The HHS approach is to work with violators rather than ever bring a complaint. The new testimony indicates that DOJ makes HIPAA enforcement a very low priority. The new Congress should investigate what it will take to create reasonable enforcement," he added.

"The lack of coordination on HIPAA enforcement is something the two agencies should be able to work out between themselves. If there is some legal impediment to coordination, they should tell Congress what that is and get it fixed," Swire said.

Jeff Kerber, who is the manager of general consulting services at Inteck Inc., a firm that specializes in information systems at health care organizations, said "on the one hand, it is hard to imagine the two agencies are not working together to coordinate enforcement.

On the other hand, we are talking about the federal government."

"The lack of communication can do nothing but continue to make the HIPAA privacy and security rules look like a farce," Kerber asserted. "The media reports cases of PHI being discovered blowing across the yards of patients, but cases like this are closed without providing OCR with an explanation. It appears that the only thing HIPAA has done is to bring patient privacy into the media limelight," said Kerber. "The lack of real enforcement and poor communication between the agencies charged with enforcing the law will allow covered entities to continue with the status quo," he added.

Advertise With AIS

Privacy

Site Map