Printer-friendly format

The Office of Inspector General (OIG) auditors may be just around the corner.

The chance of HIPAA Security Rule audits taking place has increased as of late. And the increased activity is not a response to particular violations by providers, but rather is a stepping-up of efforts from the Office of Inspector General.

When HIPAA was passed into law in 1996, the medical community saw the Privacy and Transaction and Code Set rules as the initial hurdles in changing the way medical facilities and professionals managed their patient administration. The Security Rule was certainly an issue, but was one that did not seem to be as difficult a matter to handle, particularly with the growing capabilities and complexities of computing technology in the mid- to late-1990s. Further, the Enforcement Rule would not go into effect until years later, and did not appear to have any real effect on the HIPAA world at the time.

But the Enforcement Rule became effective in March 2006, carrying with it the threat of actual monetary penalties for violations of HIPAA’s requirements. While the original effectiveness of the new Rule passed with little fanfare, 2007 saw increased activity on enforcement of HIPAA requirements. According to the Office of Civil Rights (OCR), by April 30, 2007, they had received some 27,000 documented complaints from patients regarding HIPAA privacy issues. Of those, 4,577 resulted in corrective actions taken by the Covered Entities. More than 360 were referred to the Department of Justice for criminal investigation.

In March 2007, Piedmont Hospital in Atlanta endured an audit from the OIG — an audit focused primarily on the technical requirements of the HIPAA Security Rule. These requirements are found at 45 C.F.R. § 164.302, et seq., and include physical, administrative, and technical safeguards of electronic health information. Possibly as a result of the rash of recent patient information breaches (VA and hospital conglomerate laptop losses), the OIG is beginning to take a particular interest in enforcing and auditing these more technical areas of HIPAA compliance.

Covered Entities cannot completely avoid these duties by outsourcing much or all of these technological requirements to third-party vendors. There are contractual provisions that can require those vendors to meet the strict requirements of the HIPAA Security Rule. However, ultimate responsibility for ensuring the control of that information lies with the Covered Entity collecting that information while treating their patients.

And despite the fact that HIPAA creates no private right of action for patients to sue Covered Entities for HIPAA violations, the continued presence of HIPAA requirements is creating the standard level of care and privacy protections owed to patients in society. This modern standard of care related to Protected Health Information (PHI) has begun to form the basis of negligence claims for breaches of the HIPAA Privacy and Security Rules. Since such private actions cannot be brought under the provisions of HIPAA, patients are using state tort laws to allege invasion of privacy and negligence following unauthorized releases of PHI.

In summary, the HIPAA standards for the protection of patients’ PHI have been in place for more than 10 years, during which the OIG and the public at large have come to expect Covered Entities to comply with those standards as a normal and routine part of the administration of patient information. Within the last six months, the OIG has begun to focus its auditing activities on the technical aspects of the Security Rule, leading many to believe that the frequent loss of laptops and breaches of network security are forcing the auditors to enhance the focus in this area of enforcement. And while Covered Entities may be able to shift the burdens of these requirements through the use of vendor software and systems, the final responsibility of that compliance remains with the Covered Entity. Finally, the litigation issues surrounding HIPAA have shifted to allow patients to bring state tort actions for breaches of HIPAA requirements, such claims being couched within the expectation that HIPAA sets the level and standard of care for the protection of patients’ PHI. Consequently, Covered Entities — hospitals and practitioners alike — would certainly benefit from a current review and analysis of their daily approach to the protection of patient PHI under the requirements of the HIPAA Security Rule.



November 2007

Tags:

None

Login and voice your opinion!