The Current State of HIPAA Compliance

Ever since the Department of Health and Human Services (HHS) published the HIPAA Standards for Privacy of Individually Identifiable Health Information (AKA: the Privacy Rule) in December 2000, employer health plan administrators and other covered entities have invested a significant amount of time and money toward compliance with these federal standards. The Privacy Rule, which protects the privacy of patients' medical records and other health information maintained by covered entities, has even generated a great deal of discussion among the healthcare industry and business communities. But as much as employers have concerned themselves with compliance, they have had little guidance or limited information as to the enforcement of these regulations and how violations are handled. That is, until now.

The HHS Office of Civil Rights (OCR) recently created a HIPAA Privacy Compliance and Enforcement website that offers information regarding the Privacy Rule’s enforcement process and provides useful insight into the types of violations being investigated by the OCR. Health plan administrators should find this information beneficial when creating and updating their HIPAA policies and procedures as well as if a complaint is ever filed against their health plan.

For example, statistics from the site indicate that from April 14, 2003, through June 30, 2007, the OCR has received 28,396 complaints regarding HIPAA Privacy violations. Of those 28,000+ complaints, the OCR has only investigated 7,190. About 67 percent (4,828) of the investigated complaints resulted in some form of corrective action, while no violations were found in the other 2,362 investigations. The remaining 15,206 complaints were closed without any action due to the OCR finding that the cases were not eligible for enforcement.

Also found on the Compliance and Enforcement webpage is an overview of the OCR compliance process, giving insight into how the OCR enforces the privacy rules and what information is considered during intake and review of a complaint. In particular, the OCR may only take action on complaints meeting the following criteria:

  • The alleged action must have taken place after April 14, 2003.
  • The complaint must be filed against an entity that is required by law to comply with the Privacy Rule.
  • A complaint must allege an activity that, if proven true, would violate the Privacy Rule.
  • Complaints must be filed within 180 days of when the person submitting the complaint knew or should have known about the alleged violation of the Privacy Rule.
  • OCR must know the identity of the person who filed the complaint, and have a way to contact that person, to investigate the complaint.

While the Privacy Rule statute allows for hefty fines, the OCR explains that before it imposes penalties for violations, it attempts to resolve complaints by obtaining voluntary compliance, corrective action and/or resolution agreements. The site also provides examples that demonstrate the types of cases OCR has investigated and the level of action taken against those in violation.

The development of this website is further proof that more attention is being paid to HIPAA compliance than ever before. Even though a significant amount of privacy complaints are going unanswered, the HHS is dedicating more resources toward enforcement of the Privacy Rule as well as guidance for compliance. For more information, visit the following links:

HHS Office for Civil Rights Compliance and Enforcement

Government Health IT: Most privacy complaints are not investigated

Questions or comments about this article? Email us at comments@hcwbenefits.com.

* * * * *

Don't forget to contribute your answer to HCW's Employer Survey Question of the Month at www.hcwbenefits.com! This month's question is: "Do you believe you are as compliant with benefit regulations (i.e., HIPAA, COBRA, ERISA) as you should be?"

Go to www.hcwbenefits.com today, give your answer and see how your peers responded!

Please Note: If you no longer wish to receive communications of this nature from Hill, Chesson & Woody, please reply to the sender of the email with the word "unsubscribe" in the header.  Thank you.

Important Notice: Hill, Chesson & Woody does not engage in the practice of law, accounting, or medicine. Therefore, the contents of this communication should not be regarded as a substitute for legal, tax, or medical advice.

    July 20, 2007

    Hill, Chesson & Woody strives to keep our clients' group decision makers abreast of trends influencing the employee benefits market. Look for Eyes on Benefits to bring you news and information affecting you and your employees.

    194 Finley Golf Course Road, Suite 200,
    Chapel Hill, NC 27517
    Phone: 919.403.1986
    Fax: 919.913.0237

    www.hcwbenefits.com