HIPAA hum­drum

Gen­er­ally speaking, laws work bet­ter if they’re en­forced

Modern Healthcare - - Opinions - Emily Fried­man

On Feb. 22, as the 15th an­niver­sary of the Health Insurance Porta­bil­ity and Ac­count­abil­ity Act ap­proached, HHS’ Of­fice for Civil Rights fired off the health in­for­ma­tion pri­vacy equiv­a­lent of the shot heard round the world: It ac­tu­ally fined some­one for vi­o­lat­ing the law. In fact, the Of­fice for Civil Rights pretty much threw the book, in the form of a $4.3 mil­lion civil penalty, at Cignet Health, a Mary­land-based health plan, for fail­ing to al­low pa­tients ac­cess to their med­i­cal records and es­pe­cially for not co­op­er­at­ing with its in­ves­ti­ga­tion. Shortly there­after, 907-bed Mas­sachusetts Gen­eral Hos­pi­tal, Boston, and UCLA Health Sys­tem, Los An­ge­les, also were pe­nal­ized for vi­o­lat­ing HIPAA.

Ge­orgina Ver­dugo, di­rec­tor of the Of­fice for Civil Rights, said, “We hope the health­care in­dus­try will take a close look at this … and rec­og­nize that OCR is se­ri­ous about HIPAA en­force­ment.”

Yet there was an odd tone in the many com­men­taries that fol­lowed that an­nounce­ment. An e-mail from the law firm of Ep­stein Becker & Green ob­served, “After years of lit­tle or no en­force­ment, (HIPAA) has been su­per­charged.” Paul Roberts, who writes for In­ter­net se­cu­rity firm Kasper­sky Lab’s on­line news­let­ter, was far less po­lite: “The health­care in­dus­try’s tooth­less tiger has fi­nally bared its teeth. … The action is the first mon­e­tary fine is­sued since the act was passed in 1996.”

In­deed, as Lora Bent­ley wrote on the IT Busi­ness Edge web­site in 2009, “Since (HIPAA) be­came law, en­force­ment has been a weak link. The num­ber of cov­ered en­ti­ties that are in full com­pli­ance has been low, sim­ply be­cause (HHS) hasn’t had much of an en­force­ment mech­a­nism in place.”

But after 15 years, HIPAA (or at least its pri­vacy pro­vi­sions) is be­ing en­forced, with some­thing re­sem­bling a vengeance. That should be a wake-up call for non­com­pli­ant providers, as well as for those of­fi­cials who are tasked with im­ple­ment­ing the Pa­tient Pro­tec­tion and Af­ford­able Care Act. (For more on this topic, read “HIPAA at 15,” Aug. 22, p. 12.)

To be fair, some of the rea­sons for the lack of HIPAA en­force­ment were be­yond the fed­eral gov­ern­ment’s con­trol. The law’s ma­jor pro­vi­sions were insurance re­forms, par­tic­u­larly in the small-group and in­di­vid­ual mar­ket, and pri­vacy pro­tec­tions. The insurance pro­vi­sions were to be en­forced by the states, with backup from what was then HCFA (now

Passing a law but not en­forc­ing it cru­elly raises false hope.

the CMS); the Of­fice for Civil Rights was charged with en­forc­ing the pri­vacy pro­vi­sions. Nei­ther side of the equa­tion worked too well. Why? For one thing, split­ting au­thor­ity be­tween states and the feds is rarely ef­fec­tive; look at the trou­bled his­tory of Med­i­caid. Fur­ther­more, as Maria Hov­ing Fried­man (no re­la­tion to the au­thor), who served as pub­lic af­fairs di­rec­tor for what was then HCFA, notes, “HIPAA was doomed to be a fail­ure from the out­set be­cause the states ex­erted their right to re­tain con­trol over insurance reg­u­la­tion, which meant that fed­eral en­force­ment was go­ing to be a min­i­mal.” Also, if state laws were stricter than fed­eral statute, the state laws ap­plied, even if they were not en­forced

Thus, HIPAA pro­vi­sions re­gard­ing guar­an­teed is­suance of cov­er­age, guar­an­teed re­newal, lim­its on pre-ex­ist­ing con­di­tion ex­clu­sions and porta­bil­ity were largely ig­nored by in­sur­ers and em­ploy­ers alike in some states.

Also, the Of­fice for Civil Rights did not have the money to pur­sue ag­gres­sive en­force­ment of the pri­vacy pro­vi­sions, and there was a gen­eral lack of po­lit­i­cal ap­petite for tak­ing on in­sur­ers, em­ploy­ers or providers.

What changed? For one thing, the HITECH Act, which was part of the 2009 eco­nomic stim­u­lus law, beefed up what HHS could do, from in­creas­ing what were pal­try fines to ex­tend­ing li­a­bil­ity to en­ti­ties that do busi­ness with HIPAA-cov­ered or­ga­ni­za­tions.

Also, as Maria Fried­man puts it, “Peo­ple just got fed up with all the pri­vacy breaches, whether it was vi­o­la­tions of celebri­ties’ med­i­cal records or peo­ple leav­ing lap­tops con­tain­ing the per­sonal in­for­ma­tion of thou­sands of pa­tients in un­locked cars, and the iden­tity theft that can fol­low.”

Yet dur­ing the 14½ years of not be­ing en­forced, most providers—de­spite con­flict­ing fed­eral and state reg­u­la­tions and vague guid­ance—tried to com­ply with HIPAA and pro­tect pa­tient in­for­ma­tion. One can only guess about how frus­trat­ing it must have been for them to see oth­ers play­ing fast and loose with what they were try­ing to se­cure.

They weren’t alone; ac­cord­ing to a re­cent sur­vey, 78% of U.S. adults are wor­ried about the pri­vacy and se­cu­rity of their per­sonal health­care in­for­ma­tion.

How might this saga in­flu­ence im­ple­men­ta­tion of the Af­ford­able Care Act? HHS Sec­re­tary Kath­leen Se­be­lius has al­ready is­sued more than a thou­sand waivers to em­ploy­ers, states, re­li­gious groups and oth­ers, ex­cus­ing them ei­ther tem­po­rar­ily or per­ma­nently from com­ply­ing with the law. The waivers range from let­ting the state of Maine al­low in­sur­ers to spend less on claims than the law per­mits to telling McDon­ald’s Corp. that it’s OK to sell “mini-med” poli­cies to em­ploy­ees that are so skimpy they wouldn’t cover an emer­gency depart­ment visit. How far can this go be­fore the law be­comes in­ef­fec­tive, even if the courts up­hold it?

There is lit­tle point in passing a law if it is not go­ing to be en­forced. It be­comes not only an ex­er­cise in hypocrisy, but also a cruel rais­ing of false hopes. HIPAA’s pri­vacy pro­vi­sions now have mus­cle be­hind them, and many of its insurance pro­vi­sions were in­cor­po­rated into the ACA. It would be nice if both laws were ap­plied as those who cre­ated them in­tended. <<

Emily Fried­man is an in­de­pen­dent health pol­icy and ethics an­a­lyst based in Chicago.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.