|
|
HIPAA/LAW:
Special Edition
April 2003
"The Time for Privacy Rule Compliance:
No Longer Tomorrow"
by Steve Fox & Rachel Wilson, Esqs., Pepper
Hamilton LLP
After thousands of comments, one delay, numerous press releases,
responses to frequently asked questions, modifications, guidance
from the Department of Health and Human Services ("HHS"),
and thousands of articles and commentaries, the compliance date
for the HIPAA Privacy Rule (the "Privacy Rule") is finally
upon us. So what exactly is the risk of failing to comply? The answer
is not as obvious as it may seem on its face. Yes, failure to comply
with the Privacy Rule may result in civil and criminal penalties.
A covered entity may be fined up to $100 per person/per privacy
violation and members of its workforce sent to prison for as long
as ten years. And yes, these penalties are severe, but they are
only a fraction of what covered entities risk if they fail to comply
with the Privacy Rule.
As a practical matter, an IRS audit is probably more likely than
a HIPAA civil or criminal penalty. HHS' Office for Civil Rights,
which is responsible for enforcing the Privacy Rule, has stated
that investigations will be complaint-driven and will emphasize
voluntary resolutions to problems. According to Richard M. Campanelli,
director of the Office for Civil Rights, HIPAA violators will be
"engage[d]...to achieve voluntary resolution" of compliance
failures and if resolved, "that is likely to be the end of
it." Fines will be imposed only in those cases where a covered
entity does not make a "good faith" effort to correct
violations of the Privacy Rule.
So what is really at risk? The short answer is the confidence and
trust of the covered entity's patient population, and if that confidence
is breached - the risk of lawsuit.
The Privacy Rule was contemplated and designed to address the patchwork
of protection afforded the privacy of health information by a variety
of different state laws. Providing a standardized and uniform base
level of privacy protection was thought necessary in order to inspire
patient confidence about the way that health information is stored
and maintained throughout the industry. To the extent that patients
are comfortable about the measures implemented to protect sensitive
health information, the expectation is that the industry will be
in a better position to take advantage of technological innovations
like computerized patient records that allow for greater efficiency
and accuracy in the provision of care. An ancillary consequence
of this standardization of privacy protection is that it establishes
what is arguably a minimum standard of care that will be used as
a benchmark not just for compliance with the Privacy Rule, but in
any instances where patient confidentiality is at issue.
Individuals do not have the right to sue covered entities for HIPAA
violations. As stated previously, HHS' Office for Civil Rights has
been charged with the responsibility for enforcing the Privacy Rule.
However, courts may look to the Privacy Rule to determine whether
a covered entity has adhered to the standard of care owed to its
patients. Failure to meet that standard of care may be sufficient
for a patient to establish a claim arising from an invasion of privacy,
a breach of confidentiality or numerous other theories of liability.
What can covered entities do to protect themselves?
Covered entities are most susceptible to risks created by their
own actions. Fortunately, by their very nature, these are the risks
that are easiest to protect against. For example, it is absolutely
imperative that an entity's policies and procedures are consistent
with its Notice of Privacy Practices. It sounds obvious, but a covered
entity's failure to follow its own policies and procedures could
come back to haunt it. What is so particularly damning about such
a failure is that the covered entity recognized the importance of
implementing certain protections, as evidenced by its policies and
procedures, but failed to act accordingly. Covered entities should
be careful not to assume a duty or standard of care that is greater
than what is required under the law and more onerous than the covered
entity can reasonably adhere to. The Notice of Privacy Practices
should be an accurate reflection of an entity's then-current policies
and procedures. Training should be sufficient to educate employees
about the covered entity's policies and procedures, which should
include procedures for reporting and mitigating the effect of any
violations. Unless a covered entity's employees and workforce are
trained (and retrained) on the actual policies and procedures in
place, that entity is at grave risk of exposing itself to significant
HIPAA problems.
Today marks the beginning of a new era in healthcare, and, like
any new beginning, it will be accompanied by confusion, mistakes
and a myriad of problems which no one anticipated. But it will also
be remembered as the time when the healthcare industry took a great
leap forward and began offering real protections for the privacy
of its patients.
Read past HIPAA Legal Q/A articles.
Steve Fox, Esq., is a partner at the Washington, DC office of Pepper
Hamilton LLP, www.pepperlaw.com.
This article was co-authored by Rachel H. Wilson, Esq., an associate
of Pepper Hamilton LLP. They may be reached at foxsj@pepperlaw.com.
Disclaimer: This information is general in nature and should
not be relied upon as legal advice.
|
 |
 |
