Why HIPAA enforcement leads to confusion, dissatisfaction
With most issues resolved out of the public eye, there’s a sense that the lack of overt public action means organizations aren’t being held to account.
Compliance with HIPAA and the attendant privacy and security requirements is a frequent topic and still a big worry in the industry. Discussions around compliance are driven by the daily reporting of breaches and the probably more than daily issues faced by patients, clinicians and others when HIPAA is misinterpreted.
In that face of all of these issues, there are not many options to turn to in order to obtain redress. Unless state law offers some alternative, HIPAA permits filing a complaint with an organization’s privacy officer, the Office for Civil Rights (OCR) or the applicable attorney general. With those options, those making complaints may then feel like these filings feel like they’re disappearing into a black hole.
Complaints are not just dismissed, however. Many thousands result in some form of action, most often by OCR. The typical response from OCR is to send an investigative demand, usually by asking for documentation, to the organization in question, reviewing the responses, and then offering technical or other similar advice to address the situation. Following that resolution, OCR will notify the complainant about that general action taken.
The common scenario outlined above can leave many feeling dissatisfied, however. The lack of overt public action or attention can perpetuate an impression that organizations are able to violate HIPAA with impunity. While so-called “behind-the-scenes” resolutions are the most frequent means of resolution, there can also be well-publicized settlement agreements and fines imposed.
When a complaint or issue results in a public settlement, the resolution agreement most often cites pervasive non-compliance with the HIPAA Security Rule. While a HIPAA Privacy Rule violation could be the genesis for the complaint or other issue, that will fall to the wayside when reading through the actions or omissions that really caught the attention of OCR. Does this mean that OCR is not as concerned with Privacy Rule issues, or just that compounding actions are needed before a fine will be imposed?
Regardless of the answer or response to some of these questions and issues, the bigger underlying question concerns the purpose behind enforcement actions taken by OCR. Actions by states are not really being considered because those are even rarer than monetary penalties from OCR. Should organizations be called to task for violations of all kinds, or only on especially egregious conduct? The response to that question will very likely be driven by the side that one is on.
From the perspective of organizations, the behind-the-scenes approach to resolution is probably preferred. That enables issues to be identified, guidance provided by OCR, and then changes can be implemented—at least that is the optimistic assessment and the hope of what happens for conscientious organizations. That should represent the majority of instances. The private resolution avoids unnecessary shaming and lets the organization move on.
From the individual perspective, most people would prefer more public attention and public resolution. Issues can be pervasive, constant and disruptive. From that perspective, why should a resolution be reached without anyone being informed of what happened? For example, if an organization’s conduct is brought to the fore, maybe more reports will come that could justify a different response.
From OCR’s perspective, a blended approach is probably preferred. Realistically, the approaches are also constrained by staff and budgetary resources, which are not as high as would be preferred. Resolving the majority of issues by private resolutions enables education and guidance that aims to result in better overall compliance. When specific lessons are needed, then a public fine and settlement could be pursued. That balanced approach can serve multiple needs.
The suppositions from each perspective are purposefully brief and broad stroke. Getting specific input from anyone interested in this issue will be appreciated and help inform the debate and discussion.
In that face of all of these issues, there are not many options to turn to in order to obtain redress. Unless state law offers some alternative, HIPAA permits filing a complaint with an organization’s privacy officer, the Office for Civil Rights (OCR) or the applicable attorney general. With those options, those making complaints may then feel like these filings feel like they’re disappearing into a black hole.
Complaints are not just dismissed, however. Many thousands result in some form of action, most often by OCR. The typical response from OCR is to send an investigative demand, usually by asking for documentation, to the organization in question, reviewing the responses, and then offering technical or other similar advice to address the situation. Following that resolution, OCR will notify the complainant about that general action taken.
The common scenario outlined above can leave many feeling dissatisfied, however. The lack of overt public action or attention can perpetuate an impression that organizations are able to violate HIPAA with impunity. While so-called “behind-the-scenes” resolutions are the most frequent means of resolution, there can also be well-publicized settlement agreements and fines imposed.
When a complaint or issue results in a public settlement, the resolution agreement most often cites pervasive non-compliance with the HIPAA Security Rule. While a HIPAA Privacy Rule violation could be the genesis for the complaint or other issue, that will fall to the wayside when reading through the actions or omissions that really caught the attention of OCR. Does this mean that OCR is not as concerned with Privacy Rule issues, or just that compounding actions are needed before a fine will be imposed?
Regardless of the answer or response to some of these questions and issues, the bigger underlying question concerns the purpose behind enforcement actions taken by OCR. Actions by states are not really being considered because those are even rarer than monetary penalties from OCR. Should organizations be called to task for violations of all kinds, or only on especially egregious conduct? The response to that question will very likely be driven by the side that one is on.
From the perspective of organizations, the behind-the-scenes approach to resolution is probably preferred. That enables issues to be identified, guidance provided by OCR, and then changes can be implemented—at least that is the optimistic assessment and the hope of what happens for conscientious organizations. That should represent the majority of instances. The private resolution avoids unnecessary shaming and lets the organization move on.
From the individual perspective, most people would prefer more public attention and public resolution. Issues can be pervasive, constant and disruptive. From that perspective, why should a resolution be reached without anyone being informed of what happened? For example, if an organization’s conduct is brought to the fore, maybe more reports will come that could justify a different response.
From OCR’s perspective, a blended approach is probably preferred. Realistically, the approaches are also constrained by staff and budgetary resources, which are not as high as would be preferred. Resolving the majority of issues by private resolutions enables education and guidance that aims to result in better overall compliance. When specific lessons are needed, then a public fine and settlement could be pursued. That balanced approach can serve multiple needs.
The suppositions from each perspective are purposefully brief and broad stroke. Getting specific input from anyone interested in this issue will be appreciated and help inform the debate and discussion.
More for you
Loading data for hdm_tax_topic #care-team-experience...