The U.S. Department of Health and Human Services (HHS) recently launched a new website (www.hhs.gov/ocr/privacy/enforcement) that provides comprehensive and insightful information on its internal enforcement program for the HIPAA Privacy Rule.  The Privacy Rule is designed to protect an individual’s health information from unauthorized use or disclosure.

The HHS Office of Civil Rights (OCR) enforces the Privacy Rule by investigating complaints and conducting compliance reviews of entities covered by HIPAA.  The website explains how the OCR staff handles the complaint process, from initial intake and review procedures, through information-gathering and investigation, and concluding with the OCR’s formal findings.  After receiving a complaint, the OCR determines whether the following conditions are met before launching a formal investigation:

• The alleged violation occurred after April 14, 2003, when the Privacy Rule took effect.
• The complaint was filed against a “covered entity” under HIPAA, such as a health plan, health care provider, or health care clearinghouse.
• The complaint, if proven, would violate the Privacy Rule.
• The complaint was filed within 180 days after the complainant learned of the alleged violation.
• The OCR knows or can ascertain the identity of the complainant.

If these conditions are satisfied, the OCR will start the investigation by requesting information and documents concerning the alleged violation from both the complainant and the covered entity.  HIPAA requires that the covered entity fully cooperate throughout the investigation.  If the OCR determines that HIPAA’s criminal provisions may be implicated, it will refer the matter to the U.S. Department of Justice for investigation.  And if the OCR suspects that HIPAA’s separate Security Rule may have been violated, it will coordinate its investigation with the Centers for Medicare & Medicaid Services.

After gathering and reviewing the evidence, the OCR decides whether the covered entity violated the Privacy Rule.  If a violation is deemed to have occurred, the OCR attempts to resolve the case by having the covered entity voluntarily institute changes in privacy practices and take other corrective actions designed to safeguard health information.  If such changes are not agreed to and implemented in a manner the OCR deems satisfactory, it may impose monetary penalties.  The covered entity may request a review of the findings and a hearing by an HHS administrative law judge.

The new website gives examples of actual cases where covered entities were found to have used or disclosed health information in violation of the Privacy Rule -- including a pharmacy that failed to safeguard a customer’s insurance card and a hospital that released a patient’s health information to his employer without obtaining a HIPAA-compliant authorization.  In both instances, the covered entities were required to revise their policies and provide additional staff training.  The types of covered entities most often required to take corrective actions are: (1) private practices such as doctors’ offices; (2) hospitals; (3) outpatient facilities; (4) health plans; and (5) pharmacies.  The new website also provides informative statistics on the scope and impact of the enforcement program.  As of September 30, 2007, HHS had received 30,602 HIPAA privacy complaints.

If you have questions about whether your organization is covered by and complying with HIPAA, or about a HIPAA privacy complaint or OCR compliance review, contact the KOHP attorney with whom you work.

William B. Forrest III