UPDATE
Special Report

HIPAA's top cop on enforcement

Now that the privacy rules are in effect, how will they be carried out?

By now, everyone knows—or should know—that the HIPAA privacy rules took effect this April.

They require, among other things, that doctors and other "covered entities" inform patients of their privacy rights and receive acknowledgment that they've done so; designate a privacy officer; develop methods for disclosing the minimum amount of protected information to achieve a given purpose; and use contracts that ensure business associates will also protect the privacy of restricted data.

The person responsible for enforcing compliance is attorney Richard M. Campanelli, director of the Office for Civil Rights of the Department of Health and Human Services. Here is Senior Editor Wayne J. Guglielmo's recent conversation with Campanelli.

You've indicated that enforcement of the HIPAA privacy rule would be complaint-driven, at least initially. Can you explain what that means?

We're not just talking about people who believe their information was disclosed improperly or that the rule was violated with respect to them. Anyone can file a complaint. And, in fact, of the approximately 600 complaints that have been filed nationwide to date, the top four [categories] involve situations where the people who complained were not the victims—who hadn't had the rule violated with respect to them. [Included among these people who complained] are employees who believe that their organizations aren't complying with the rules. So we have broad investigative authority, which we are already using, given the expansiveness of the complaint process.

Have you been given a budget sufficient to monitor and enforce compliance?

Yes. It's a little hard at this early point to predict what our long-term trends will be, but, if the complaints continue at their current rate, we feel confident that we'll be able to handle them. To date, we've been able to resolve or close about 20 percent of the complaints we've received.

Since the privacy rule took effect, some doctors seem to be overcorrecting—doing things they don't have to, or not doing things they're permitted to. What are you doing to counter these misperceptions?

We have heard reports like that, but I think they indicate that people know about HIPAA and are taking it seriously.

Beyond that, we are responding with an enormous amount of [public] information. Our Web site [www.hhs.gov/ocr], for example, contains a frequently-asked-questions feature in a readable and searchable format. In March and April alone, we had over three-quarters of a million visits to our FAQs. And we answered 8,000 phone calls on our toll-free line [866-627-7748].

We've also heard reports that doctors are correcting each other. If, for instance, a doctor refuses to send a patient record to another provider for treatment purposes, the requesting doctor quickly informs the errant doctor, "No, that's not right. Go look at the OCR Web site. You can provide this information to me." Even patients are telling their doctors when necessary, "You can do this—read your own notice [of privacy practices]."

By the way, these notices that doctors hand out are very helpful tools. They're educational, both for the practices themselves and for their patients.

 

Wayne Guglielmo. Special Report: HIPAA's top cop on enforcement. Medical Economics Aug. 8, 2003;80:14.