The Office for Civil Rights (OCR)—the arm of the US Department of Health and Human Services (HHS) that is responsible for enforcing Health Insurance Portability and Accountability Act (HIPAA) compliance—has historically taken a passive role on its mandate. This is why news that Klynveld Peat Marwick Goerdeler (KPMG)—a global audit giant—has been retained to begin auditing “covered entities” is noteworthy. The contract that KPMG has entered into with the OCR looks to begin small by providing for the audit of 150 “covered entities.” It is designed to be “self-funded,” with the auditors being compensated on a contingency basis based on what they recover.
Similar to the Medicare Recovery Audit Contractors program, the OCR’s contract with KPMG looks like a test-case scenario to see how positive the results are for the OCR before rolling out a national program to systematically audit “covered entities.” However, it is difficult to conceive of KPMG’s findings not reaping positive monetary results for the OCR, because the OCR has the authority to levy huge fines against entities in noncompliance (up to $50,000 per violation; each individual privacy breach is considered a separate violation), as well as to seek criminal penalties. There are numerous policy requirements that each entity is required to have on file to remain in compliance with HIPAA and other statutes overseen by the OCR.
Moreover, the OCR has already seen returns on its efforts in previous investigations. A recent settlement between the University of California at Los Angeles Health System and the HHS resulted from an OCR investigation of complaints received by 2 celebrity patients who received care at the health system and for whom employees of the health system repeatedly and without reason looked at their electronic health information.1 During the investigation, the OCR established that inappropriate access to protected health information was a common practice at the health system.1 The University of California at Los Angeles Health System agreed to pay $865,500 to settle the matter.1 Similarly, Massachusetts General has been slapped with 7-figure fines for inadvertent security breaches resulting in the disclosure of protected health information.2
OCR activity with big players is typically what we read about in the news; however, the lack of coverage does not mean that solo providers or small group practices are not subject to review. In fact, the OCR is required to investigate each and every complaint that is made to its office. Complaints vary from inappropriate disclosures of protected information pursuant to HIPAA to mismanagement of records and potential violations of the statutes OCR is ordered to protect.
A recent situation our office handled on behalf of a doctor was an OCR investigation into a solo provider’s office requesting that doctor’s policy on charging for medical records. A patient had requested copies of her x-rays and the doctor had charged the patient $60—$54 was the fee the doctor paid to the company making the copies, and $6 was charged by the doctor to recover a minimal amount of office time obtaining the copies. The patient thought that the charge was excessive, and although she had agreed to pay the $60 at the time that she requested the copies, she still reported the doctor to the OCR.
This matter was interesting, because the OCR took the position that having language in your HIPAA privacy policy stating that you charge for copies was not enough; the OCR stated that every practice must have a separate specific policy addressing charging for records. Also, the OCR took the position that although an office may charge an “administrative fee” for locating and copying its own records, it was inappropriate for this doctor to charge the extra $6, because his office did not make the actual copies. In the end, no fine was assessed; however, time was spent defending the practice for failure to maintain the medical records copy charge policy, and the doctor was required to refund the $6.
How you are using patient information also extends to the way you are communicating with your pa tients. Many practices are using e-mail to correspond and to transmit information, policies, and forms over the internet and through their websites. A main concern with the increase of e-mail communications is that people are often much more casual in their email communications, and the formalities put in place to protect patient confidentiality in the office may be forgotten or ignored.
An example of this happened to our client when the client’s boyfriend—who had accompanied the patient to several office visits and was known by the practitioner—sent an e-mail in the middle of the night to the vigilant provider, who checked it and believed this was an emergent situation requiring disclosure of a sensitive medication. The patient, who had been in a medical facility against her will, submitted a complaint against the provider for an unauthorized disclosure after the fact, because the boyfriend was not listed on her HIPAA consent form for authorized access as a third party. The patient was moderately famous, and her boyfriend, although seemingly well intentioned, inadvertently leaked the information on the medication to the media. Sanctions were taken against the provider after OCR determined that the situation preceding the disclosure was not an emergency, and that access was not warranted or authorized.
To better understand where potential exposure may originate from in your practice, it is essential to review the basic patient rights that the OCR is looking to protect. The OCR is responsible for enforcing adherence to HIPAA, and now, as of 2010, to the Health Information Technology for Economic and Clinical Health (HITECH) Act, as well as to the Patient Safety and Quality Improvement Act (PSQIA). So, what does that mean?
You are most likely familiar with HIPAA, and you understand that any individually identifiable information of a patient must be protected and may not be disclosed unless for an authorized or permitted reason. “Individually identifiable” includes, but is not limited to, a patient’s full name, social security number, and image.
HITECH acknowledges and brings to the forefront issues regarding transacting with protected health information electronically. Under HITECH, each practice that is capable of using computers or electronic transmission for protected health information is required to have protection in place for that information. The required protection starts with having a proper policy with regard to the treatment of electronic-protected health information. Under PSQIA, the government created a voluntary reporting system for medical errors in patient care. Because the OCR requires policies for all statutes that it governs, having a policy on file acknowledging the PSQIA and its reporting procedures should suffice.
The bottom line when preparing for the HIPAA policy is that you have a choice between taking preventive action and adopting appropriate policies that will work with your practice to ensure that you are in compliance, or you have the option to risk that you will not be targeted for a review or have a complaint made to the OCR about your practice. It has been my experience that the practices that do partake in preventive planning have cleaner operations and less exposure, as well as much lower legal fees should they be targeted for investigation.
References
- US Department of Health and Human Services. University of California settles HIPAA Privacy and Security case involving UCLA Health System facilities. July 7, 2011. www.hhs.gov/news/press/2011pres/07/20110707a.html. Accessed May 2, 2012.
- US Department of Health and Human Services. Massachusetts General Hospital settles potential HIPAA violations. February 24, 2011. www.hhs.gov/news/press/2011pres/02/20110224b.html. Accessed May 2, 2012.
This article is for education and discussion purposes only and does not constitute legal advice.