HIPAA Compliance Strategies

HIPAA Privacy Investigations Are Becoming Much More Aggressive

Reprinted from the May 2006 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

Privacy investigations are taking some twists and turns, privacy officers say. They are evolving both inside health systems and in terms of the way the HHS Office for Civil Rights (OCR) interacts with covered entities (CEs).

This is playing out in a number of ways. For one thing, OCR investigators reportedly have become more intense, probing and sophisticated. Inside CEs, privacy officers are finding that some patients now take routine complaints to OCR even when they have been addressed or resolved through a different process.

At Allina Hospitals & Clinics in Minneapolis, a recent patient-grievance morphed into an OCR complaint six months after the health system resolved the problem through the patient grievance process.

"In this case, the patient representative brought us into the issue early so we were able to support the site by assisting in the investigation and education of this issue. We investigated the matter thoroughly and provided a response to the allegations directly to the patient, " says Jennifer O'Brien, vice president of corporate compliance. "Unfortunately the patient was not satisfied with the outcome and requested contact information to file a complaint with the OCR. We supplied the contact information and received an OCR inquiry shortly after." Because Allina had already investigated the allegation, O'Brien said Allina responded to OCR's questions and quickly provided a response to the OCR investigator.

Allina is using this example to educate patient representatives and human resources staff on how patient grievances can turn into OCR complaints, and the importance of getting corporate compliance involved upfront.

"We have been working with the people who handle patient grievance complaints to make sure they respond properly to complaints that have to do with confidentiality and support them by assisting with the investigation. If a patient grievance comes back nine months later as an OCR complaint, we want to feel confident that it was investigated and documented properly," O'Brien says. And, she says, if the compliance/privacy department supports the efforts to resolve patient grievances with education and documentation, "then it's a win-win for everyone."

Patient Reports a Resolved Complaint to OCR

Another health system had an experience with a patient who reported a privacy violation to OCR even though it was resolved internally quite aggressively (the health system fired the employee who violated the patient's privacy) and the actual patient harm was not severe (e.g., there was no widespread release of embarrassing PHI). The patient, who was also an employee, had medical care at the hospital, and a co-worker made a disparaging remark about it to a fellow employee. "It was a conversation within our four walls, and it got back to the patient," says the privacy officer. The gossiping employee had seen the patient's chart in the course of doing her job, and she made an offhand remark.

The privacy officer said he learned about it from the patient. Even though the loudmouth employee was fired, the patient wasn't satisfied and filed a complaint with OCR. According to the privacy officer, the fact that the two employees were friends turned the incident into a personal betrayal, "and that's what fueled the OCR issue." The patient-employee also quit her job voluntarily.

A Qualitative Shift at OCR

O'Brien says Allina is seeing more in terms of letters from OCR — both qualitatively and quantitatively. Patients have filed complaints about things like Allina denying their request to amend the medical record and inappropriate disclosures of PHI — mostly incidental disclosures, such as the physician speaking to patients about their PHI while a family member is in the room without clearing it with the patient first. Because the disclosures were mostly incidental, OCR was satisfied with Allina's response, which was to discipline if appropriate and intensify employee education.

She also has noticed that OCR investigators have raised the stakes in their investigations of privacy complaints against CEs. "They are scrutinizing closer and digging deeper. They are definitely taking more time," O'Brien says.

Allina has improved its processes and learned from each complaint that has been filed. For one thing, OCR sends the complaint letters directly to the facility where the allegation originated. As a result, none of the OCR complaint letters has been sent directly to the corporate compliance department. That makes the health system vulnerable to an inquiry letter falling through the cracks, she says. If OCR thinks a covered entity is unresponsive, its attempt to seek voluntary compliance can harden into a fine. "One of our fears was that a letter will come to a person who is not a HIPAA person, and it will sit on a desk for a while," she says. Ideally, all OCR letters would come directly to the compliance people, O'Brien says. But since it's not a perfect world, she makes sure managers keep an eye out for OCR letters.

"We did have an incident where it took more time than we would have liked before [a letter] was forwarded to the compliance department," O'Brien says. "We called OCR right away, explained what happened and provided a date when we would submit the response. It made us realize we needed to explain this to people and support their investigation." That prompted O'Brien to place an article about OCR's investigative process in the Allina compliance newsletter.

OCR Speaks Directly to Employees

OCR also seems to be taking a different tack with respect to conversations during investigations of CEs, says Austin O'Flynn, senior counsel for Catholic Healthcare West (CHW) in San Francisco. "OCR wants to talk to the people involved directly. They don't want filtered responses," he says. "They [believe they] can get a clearer picture by talking to the sources of the report."

O'Flynn says OCR has always tended to be insistent when a facility's initial investigation was not as thorough as it might have been. "In our initial OCR responses, CHW works to anticipate OCR's probing by demonstrating that we (i) have thoroughly investigated the matter, (ii) collected detailed statements from material witnesses, and (iii) taken all possible steps to promptly remediate the matter so that there is not likely to be a recurrence," he says. "However, even after extremely thorough initial investigations, some of the more experienced investigators are asking for contact information for any individuals identified in our initial response letter."

O'Flynn says he thinks that this may be a sign that "OCR is coming under increasing pressure" to enforce the privacy rules ever more strenuously as time marches on. The longer the rules are in place, the less tolerance OCR may have for serious violations. With a final enforcement regulation in place, there is likely to be less patience for justifications that facilities or organizations need time to adjust to new HIPAA regulations and requirements.

Kathleen Klute, HIPAA privacy officer for Advocate Health Care in Oak Brook, Il., noticed that OCR investigators have become more aggressive recently. Advocate, a large health system, has faced several investigations in the three years since the privacy regulation took effect, and the most recent one reflected the greater intensity OCR is now displaying in its investigations. Advocate's role in the latter inquiry was just to supply information to OCR; the target of the OCR investigation was a physician who had accessed patient PHI through Advocate, but he was not an employee or agent.

"OCR had no reason to be assertive with us because we were giving them background information, but they expressed they were going to move into more of an enforcement mode in addition to the education part," Klute says. Another change she observed: An attorney was involved in the discussions. Previously it was just investigators.

New Pressures for Greater Enforcement

The convergence of the final enforcement regulation, which informs CEs in black and white about what will happen to them if they violate the rules, and the implementation of electronic medical records — which heighten the risk of privacy breaches because "more data is flowing in and out of the system" — may push privacy enforcement into higher gear, O'Flynn says.

"Now that covered entities can see the enforcement regulation in writing, senior management will know exactly what the real risk is, and it's up to them to analyze and avoid undue risk," O'Flynn says. For example, when you give someone a user ID and login, "you are trusting that they will use it as they were trained to do. If they don't, the organization is at risk. More and more, management is going to want to minimize that risk through the use of measures like audit trails in EMRs."

Advertise With AIS

Privacy

Site Map