Nov. 1, 2002 (Baltimore) — With less than six months until the federal medical privacy rule takes effect, doctors, hospitals, health plans and other "covered entities" that must comply with it are turning their attention to the steps the federal government will take to enforce the law. The sweeping rule, part of the Health Information Portability and Accountability Act (HIPAA), creates new privacy rights for patients' health information and requires covered entities to launch specific policies to protect that information.
Instead of taking an aggressive approach to identify and punish violators, the Department of Health and Human Service (HHS) will follow a "complaint-driven process" that emphasizes a voluntary resolution of problems, according to Richard M. Campanelli, director of HHS' Office of Civil Rights. The office is charged with enforcing the privacy rule, which takes effect on April 14, 2003, while the Centers for Medicare and Medicaid Services (CMS) will oversee compliance with the rest of HIPAA's rules and regulations.
If, for example, a healthcare provider refuses to let a patient view or correct his or her medical records — a violation of new patient privacy rights — HHS will "contact the covered entity and attempt to engage them to achieve voluntary resolution" of the problem, Campanelli told attendees of the Fifth National HIPAA Summit here yesterday. If the problem is resolved, "that is likely to be the end of it," he said.
The law allows HHS to impose civil monetary penalties for violations that can reach as high as $25,000 in a calendar year. However, Campanelli emphasized that such fines will be reserved for cases in which a covered entity does not make a "good faith" effort to correct a violation. More serious penalties, including imprisonment, could result from criminal offenses of the law, such as selling protected health information.
Campanelli said the revisions to the privacy rule, released on Aug. 14, attempted to "improve the workability of the rule" by making patient consent voluntary instead of mandatory, clarifying the rules for marketing uses of health information, and permitting individual uses and disclosure with certain safeguards.
Fifth National HIPAA Summit. Presented Oct. 31, 2002.
Reviewed by Gary D. Vogin, MD
Medscape Medical News © 2002 Medscape
Cite this: Cathy Tokarski. HHS to Take 'Complaint-Driven' Enforcement Stance to Privacy Rule - Medscape - Nov 01, 2002.