News

Proactive HIPAA Complaint Process Deemed Ideal


 

SAN DIEGO — Health care organizations need a proactive process in place to deal with Health Insurance Portability and Accountability Act complaints, Teresa A. Williams, in-house counsel for Integris Health Inc., said at the annual meeting of the American Health Lawyers Association. Having an effective complaint process in place could reduce the number of complaints patients file with government enforcement agencies.

During the first year of HIPAA enforcement, 5,648 complaints were filed with the Office for Civil Rights (OCR), according to a report published by the Government Accountability Office. Of those, about 56% alleged impermissible use and disclosure of protected health information, about 33% alleged inadequate safeguards, and about 17% concerned patient access to information. (Percentages total more than 100 because some complaints fall into more than one category.)

As of June 30, 2005, OCR has received more than 13,700 complaints, and has closed 67% of those cases. They've been closed because the alleged activity actually did not violate the privacy rule, or because OCR lacks jurisdiction, or because the complaint was resolved through voluntary compliance. To date, OCR hasn't actually imposed any monetary penalties.

OCR is making every effort to resolve potential cases informally. Ms. Williams gave an example from her company.

Last fall, a patient at one of Integris Health's rural facilities filed an OCR complaint alleging her son's health information had been improperly disclosed. Within 2 days, Integris was able to confirm that this had in fact happened, and the responsible employee was terminated.

OCR then requested a copy of the explanatory letter sent to the complainant, records showing that the employee had received appropriate training about HIPAA, and written evidence of termination. “It was all very informal, just a series of phone calls and letters back and forth,” Ms. Williams said. “It took only about 2 months for our case to be closed.”

Ms. Williams advises health care organizations to put a strategy in place for handling potential HIPAA complaints. Key steps are as follows:

▸ Train staff on appropriate records and documentation.

▸ Develop and enforce discipline policies.

▸ Conduct patient satisfaction surveys.

▸ Conduct training to inform staff about appropriate uses and disclosures of protected health information.

▸ Take corrective action if necessary, then document it.

▸ Use information gained from the complaint process to better your system. The person in charge of the complaint process should be able to listen and respond with empathy. “Sometimes people aren't looking for a monetary resolution,” Ms. Williams said. “They just want someone to listen to their complaint and tell them that it's been corrected.”

Provision Called 'Worrisome'

The final installment of the HIPAA enforcement rule was released on April 18, 2005. Civil monetary penalties are set at a maximum of $100 per violation, up to a maximum of $25,000 for all violations of an identical requirement per calendar year.

But a single act can create multiple violations, Ms. Williams pointed out. That's because the rule uses three variables to calculate the number of violations:

▸ The number of times a covered entity takes a prohibited action or failed to take a required action.

▸ The number of persons involved or affected.

▸ The duration of the violation, counted in days.

Under the new rule, information about civil monetary penalties will be made available to the public.

“This provision is a bit worrisome,” Ms. Williams said. If an emergency department over a 3-month period doesn't collect and file written acknowledgments of privacy notifications, that would count as numerous violations of the privacy rule.

Recommended Reading

Insurers Attempt to Crack Down on Imaging Costs
MDedge Rheumatology
Policy & Practice
MDedge Rheumatology
IOM Committee Begins Investigation of the FDA
MDedge Rheumatology
CMS Hospital Database to Drive Accountability : The effect of the new hospital database on the physician-patient relationship remains uncertain.
MDedge Rheumatology
National Medicare Policy on Kyphoplasty: Not Anytime Soon
MDedge Rheumatology
Authorities Eye FNCS Practices for Potential Conflicts of Interest
MDedge Rheumatology
Policy & Practice
MDedge Rheumatology
AMA Adopts Fair Prescribing, Imaging Resolutions
MDedge Rheumatology
Congress Floats Physician Payment Options
MDedge Rheumatology
Doctors to CMS: One National Provider Identifier Only, Please
MDedge Rheumatology