News

Develop a Proactive HIPAA Complaint Process, Lawyer Advises


 

SAN DIEGO — Health care organizations need a proactive process in place to deal with Health Insurance Portability and Accountability Act complaints, Teresa A. Williams, in-house counsel for Integris Health Inc., said at the annual meeting of the American Health Lawyers Association.

Having an effective complaint process in place could reduce the number of complaints patients file with government enforcement agencies.

At present, HIPAA enforcement is primarily complaint based, Ms. Williams said. During the first year of enforcement, 5,648 complaints were filed with the Office for Civil Rights (OCR), according to a report published by the Government Accountability Office.

Of those, about 56% alleged impermissible use and disclosure of protected health information, about 33% alleged inadequate safeguards, and about 17% concerned patient access to information. (Percentages total more than 100 because some complaints fall into more than one category.)

As of June 30, 2005, OCR has received more than 13,700 complaints, and has closed 67% of those cases. They've been closed because the alleged activity actually did not violate the privacy rule, or because OCR lacks jurisdiction, or because the complaint was resolved through voluntary compliance. To date, OCR hasn't actually imposed any monetary penalties.

OCR is making every effort to resolve potential cases informally. Ms. Williams gave an example from her company.

Last fall, a patient at one of Integris Health's rural facilities filed an OCR complaint alleging her son's health information had been improperly disclosed. Within 2 days, Integris was able to confirm, through an audit trail, that this had in fact happened, and the responsible employee was terminated.

OCR then requested a copy of the explanatory letter sent to the complainant, records showing that the employee had received appropriate training about HIPAA, and written evidence of termination. “It was all very informal, just a series of phone calls and letters back and forth,” Ms. Williams said. “It took only about 2 months for our case to be closed.”

Ms. Williams advises health care organizations to put a strategy in place for handling potential HIPAA complaints. Key steps:

▸ Train staff on appropriate records and documentation.

▸ Develop and enforce discipline policies.

▸ Conduct patient satisfaction surveys.

▸ Conduct training to inform staff about appropriate uses and disclosures of protected health information.

▸ Take corrective action if necessary, then document it.

▸ Use information gained from the complaint process to better your system.

A variety of methods may be used to process complaints. These methods include written complaint forms, a hotline, a privacy officer, regular mail, e-mail, and online forums.

There is one key element: The person in charge of the complaint process should be able to listen and respond with empathy to the patient.

“Sometimes people aren't looking for a monetary resolution,” Ms. Williams said. “They just want someone to listen to their complaint and tell them that it's been corrected.”

HIPAA Rule Has 'Worrisome' Provision

The final installment of the HIPAA enforcement rule was released on April 18, 2005. Civil monetary penalties are set at a maximum of $100 per violation, up to a maximum of $25,000 for all violations of an identical requirement per calendar year.

But a single act can create multiple violations, Ms. Williams pointed out. That's because the rule uses three variables to calculate the number of violations that have occurred:

▸ The number of times a covered entity takes a prohibited action or failed to take a required action.

▸ The number of persons involved or affected.

▸ The duration of the violation, counted in days.

Under the new rule, information about civil monetary penalties, including reason for the penalty and identity of the covered entity, will be made available to the general public. It is not clear whether this happens when the penalty is first imposed, or after legal appeals are completed.

“This provision is a bit worrisome,” Ms. Williams said.

If an emergency department over a 3-month period doesn't collect and file written acknowledgments of privacy notifications, that would count as numerous violations of the privacy rule.

“If a consumer then reads in the paper that your hospital paid hundreds of thousands of dollars for a thousand violations of the privacy rule, that's arguably misleading,” Ms. Williams said. “This is an area that hopefully will be clarified and changed.”

Recommended Reading

Policy & Practice
MDedge Internal Medicine
Malpractice Reform Options Debated in D.C.
MDedge Internal Medicine
Panel Decides Not to Link On Call to Medicare : Hospital associations had floated the proposal to address the shortage of on-call physicians.
MDedge Internal Medicine
Assess Your Practice Needs, Readiness When Choosing an EHR
MDedge Internal Medicine
Error-Reporting Bill Makes Way Through Congress
MDedge Internal Medicine
New Medicare Appeals Process Raises Concerns
MDedge Internal Medicine
Policy & Practice
MDedge Internal Medicine
Feds Push for National Electronic Record System
MDedge Internal Medicine
Doctors Share Their Weight Loss Struggles
MDedge Internal Medicine
Encourage Low-Literacy Patients to Ask Questions
MDedge Internal Medicine