SAN DIEGO – Health care organizations need a proactive process in place to deal with Health Insurance Portability and Accountability Act complaints, Teresa A. Williams, in-house counsel for Integris Health Inc., said at the annual meeting of the American Health Lawyers Association. Having an effective complaint process in place could reduce the number of complaints patients file with government enforcement agencies.
At present, HIPAA enforcement is primarily complaint based, Ms. Williams said. During the first year of enforcement, 5,648 complaints were filed with the Office for Civil Rights (OCR), according to a report published by the Government Accountability Office. Of those, about 56% alleged impermissible use and disclosure of protected health information, about 33% alleged inadequate safeguards, and about 17% concerned patient access to information. (Percentages total more than 100 because some complaints fall into more than one category.)
As of June 30, 2005, OCR has received more than 13,700 complaints, and has closed 67% of those cases. They've been closed because the alleged activity actually did not violate the privacy rule, or because OCR lacks jurisdiction, or because the complaint was resolved through voluntary compliance. To date, OCR hasn't actually imposed any monetary penalties.
OCR is making every effort to resolve potential cases informally. Ms. Williams gave an example from her company.
Last fall, a patient at one of Integris Health's rural facilities filed an OCR complaint alleging her son's health information had been improperly disclosed. Within 2 days, Integris was able to confirm, through an audit trail, that this had in fact happened, and the responsible employee was terminated.
OCR then requested a copy of the explanatory letter sent to the complainant, records showing that the employee had received appropriate training about HIPAA, and written evidence of termination. “It was all very informal, just a series of phone calls and letters back and forth,” Ms. Williams said. “It took only about 2 months for our case to be closed.”
Ms. Williams advises health care organizations to put a strategy in place for handling potential HIPAA complaints. Here are the key steps:
▸ Train staff on appropriate records and documentation.
▸ Develop and enforce discipline policies.
▸ Conduct patient satisfaction surveys.
▸ Conduct training to inform staff about appropriate uses and disclosures of protected health information.
▸ Take corrective action if necessary, then document it.
▸ Use information gained from the complaint process to better your system.
A variety of methods may be used to process complaints, including written complaint forms, a hotline, a privacy officer, regular mail, e-mail, and online forums. One key element: The person in charge of the complaint process should be able to listen and respond with empathy.
“Sometimes people aren't looking for a monetary resolution,” Ms. Williams said. “They just want someone to listen to their complaint and tell them that it's been corrected.”
Enforcement Rule Needs Clarification
The final installment of the HIPAA enforcement rule was released on April 18, 2005. Civil monetary penalties are set at a maximum of $100 per violation, up to a maximum of $25,000 for all violations of an identical requirement per calendar year.
But a single act can create multiple violations, Ms. Williams pointed out. That's because the rule uses three variables to calculate the number of violations:
▸ The number of times a covered entity takes a prohibited action or failed to take a required action.
▸ The number of persons involved or affected.
▸ The duration of the violation, counted in days.
Under the new rule, information about civil monetary penalties, including reason for the penalty and identity of the covered entity, will be made available to the general public. It is not clear whether this happens when the penalty is first imposed, or after legal appeals are completed.
“This provision is a bit worrisome,” Ms. Williams said.
If an emergency department, over a 3-month period, doesn't collect and file written acknowledgments of privacy notifications, that would count as numerous violations of the privacy rule.
“If a consumer then reads in the paper that your hospital paid hundreds of thousands of dollars for a thousand violations of the privacy rule, that's arguably misleading,” Ms. Williams said. “This is an area that hopefully will be clarified and changed.”