On April 13 the Pittsburgh Tribune-Review reported that the University of Pittsburgh Medical Center (UPMC) admitted to using the records of 80 patients, including names and Social Security numbers, for a presentation they made at a 2002 symposium, in violation of the Health Insurance Portability and Accountability Act (HIPAA).
“”We can only apologize to patients for that, but hopefully they realize we make an enormous effort to ensure that patient medical records information remains private and confidential,” said John P. Houston, UPMC vice president for information security and privacy.”
Hmm…what effort was made when the PHI was being used within a presentation by UPMC? Too many crocodile tears seem to be shed by organizational leaders following incidents.
The UPMC offered to pay for credit monitoring for those who requested it, so at least they are providing that.
The article indicated that the Office of Civil Rights (OCR), a subset of the Department of Health and and Human Services (HHS) that is responsible for HIPAA Privacy Rule enforcement,
“has received about 26,000 complaints of medical privacy breaches since new privacy rules went into effect in 2003, according to a senior adviser there who spoke on background. Of those, about 4,100 have been determined to be actual violations of federal rules, the official said. But the office has worked with health care agencies to correct problems and has not yet issued a fine, the official said. Houston, who serves on three federal committees dealing with medical records privacy, said a cooperative, rather than punitive, attitude helps solve problems efficiently.”
Isn’t it incredible to you that 4,100 of the complaints were determined to be violations? But nothing other than just saying something to the effect of, “Please don’t let it happen again,” was done?
Have any of those responsible for enforcement been victims of these preventable incidents themselves? If they had, perhaps they would see the havoc it wreaks within the impacted individuals’ lives, and the huge amount of time and money it takes, to straighten up an “oops” that a healthcare organization made.
A cooperative attitude is getting into compliance before an incident occurs.
As I have stated many other times on this blog, laws are not effective if they are not enforced. If a law states there are penalties for noncompliance, and HIPAA clearly states that there are monetary penalties, along with jail time, for noncompliance, then those penalties should be applied.
“A 2006 national survey of health care providers and insurers by the Healthcare Information and Management Systems Society found that 22 percent of care providers were not in compliance with privacy regulations. In addition, the survey said about half of reportedly compliant hospitals reported breaches in medical privacy.”
What is the HHS, OCR, and Centers for Medicare and Medicaid Services (CMS, responsible for Security Rule enforcement) waiting for?
On April 2, 2007, the Supreme Court issued a 5-4 ruling that the Environmental Protection Agency (EPA) violated the Clean Air Act by not limiting heat-trapping gases in vehicle emissions, and that the EPA has the power to regulate those pollutants. In other words, the EPA was not enforcing the law they were responsible and obligated to enforce.
As Justice John Paul Stevens wrote,
“EPA has refused to comply with this clear statutory command. Instead, it has offered a laundry list of reasons not to regulate.”
Gosh, it looks like Justice Stevens could replace “EPA” with “HHS” and accurately reflect how well HIPAA is being enforced.
The HHS has the power…the obligation…to enforce HIPAA. Will a case have to go before the Supreme Court before they start upholding their responsibility?
Too many incidents within healthcare providers, insurers and clearinghouses continue to happen on a regular basis. Look through the lists of incidents on attrition, PogoWasRight, and Privacy Rights Clearinghouse and you will see that there are a large number of covered entities (CEs) under the HIPAA regulations on those lists.
If our lawmakers pass laws they need to ensure the laws are consistently and appropriately enforced. They need to hold the enforcement agencies’ feet to the fire to meet their obligations and responsibilities.
Non-enforcement of HIPAA not only allows the continuance of privacy incidents, it also thwarts the efforts of information security and privacy professionals within healthcare organizations to get their programs supported by their executive management; after all, if there are no penalties for non-compliance, then why waste the money on implementing the legally-required safeguards? I have heard more than one CxO make similar statements.
The HHS recently indicated they were going to start enforcement activities, but until a substantial penalty is applied for a clear violation those will be empty words, just another “…laundry list of reasons not to regulate.”
Tags: awareness and training, CMS, epa, HHS, HIPAA, Information Security, IT compliance, OCR, patient privacy, policies and procedures, privacy, privacy rule, security rule, supreme court