SAN DIEGO — Health care organizations need a proactive process in place to deal with Health Insurance Portability and Accountability Act complaints, Teresa A. Williams, in-house counsel for Integris Health Inc., said during the annual meeting of the American Health Lawyers Association.
Having an effective complaint process in place could reduce the number of complaints patients file with government enforcement agencies. At present, HIPAA enforcement is primarily complaint based, Ms. Williams said. During the first year of enforcement, 5,648 complaints were filed with the Office for Civil Rights (OCR), according to a report published by the Government Accountability Office. Of those, about 56% alleged impermissible use and disclosure of protected health information, about 33% alleged inadequate safeguards, and about 17% concerned patient access to information. (Percentages total more than 100 because some complaints fall into more than one category.)
As of June 30, 2005, OCR has received more than 13,700 complaints, and has closed 67% of those cases. They've been closed because the alleged activity actually did not violate the privacy rule, or because OCR lacks jurisdiction, or because the complaint was resolved through voluntary compliance.
To date, OCR hasn't actually imposed any monetary penalties.
OCR is making every effort to resolve potential cases informally. Ms. Williams gave an example from her company.
Last fall, a patient at one of Integris Health's rural facilities filed an OCR complaint alleging her son's health information had been improperly disclosed.
Within 2 days, Integris was able to confirm, through an audit trail, that this had in fact happened, and the responsible employee was terminated. OCR then requested a copy of the explanatory letter sent to the complainant, records showing that the employee had received appropriate training about HIPAA, and written evidence of termination.
“It was all very informal, just a series of phone calls and letters back and forth,” Ms. Williams said. “It took only about 2 months for our case to be closed.”
Ms. Williams advises health care organizations to have a strategy for handling potential HIPAA complaints.
Key steps include:
▸ Train staff on appropriate records and documentation.
▸ Develop and enforce discipline policies.
▸ Conduct patient satisfaction surveys.
▸ Conduct training to inform staff about appropriate uses and disclosures of protected health information.
▸ Take corrective action if necessary, then document it.
▸ Use information gained from the complaint process to better your system.
Methods to process complaints include written forms, a hotline, a privacy officer, regular mail, e-mail, and online forums. One key element: The person in charge of the complaint process should be able to listen and respond with empathy.
Enforcement Rule Called 'Worrisome'
The final installment of the HIPAA enforcement rule was released on April 18, 2005. Civil monetary penalties are set at a maximum of $100 per violation, up to a maximum of $25,000 for all violations of an identical requirement per calendar year.
But a single act can create multiple violations, Ms. Williams pointed out. That's because the rule uses three variables to calculate the number of violations:
▸ The number of times a covered entity takes a prohibited action or failed to take a required action.
▸ The number of persons involved or affected.
▸ The duration of the violation, counted in days.
Under the new rule, information about civil monetary penalties, including reason for the penalty and identity of the covered entity, will be made available to the general public. It is not clear, however, whether this happens when the penalty is first imposed, or after legal appeals are completed.
“This provision is a bit worrisome,” Ms. Williams said.