HHS to Take 'Complaint-Driven' Enforcement Stance to Privacy Rule

Cathy Tokarski

November 01, 2002

Nov. 1, 2002 (Baltimore) — With less than six months until the federal medical privacy rule takes effect, doctors, hospitals, health plans and other "covered entities" that must comply with it are turning their attention to the steps the federal government will take to enforce the law. The sweeping rule, part of the Health Information Portability and Accountability Act (HIPAA), creates new privacy rights for patients' health information and requires covered entities to launch specific policies to protect that information.

Instead of taking an aggressive approach to identify and punish violators, the Department of Health and Human Service (HHS) will follow a "complaint-driven process" that emphasizes a voluntary resolution of problems, according to Richard M. Campanelli, director of HHS' Office of Civil Rights. The office is charged with enforcing the privacy rule, which takes effect on April 14, 2003, while the Centers for Medicare and Medicaid Services (CMS) will oversee compliance with the rest of HIPAA's rules and regulations.

If, for example, a healthcare provider refuses to let a patient view or correct his or her medical records — a violation of new patient privacy rights — HHS will "contact the covered entity and attempt to engage them to achieve voluntary resolution" of the problem, Campanelli told attendees of the Fifth National HIPAA Summit here yesterday. If the problem is resolved, "that is likely to be the end of it," he said.

The law allows HHS to impose civil monetary penalties for violations that can reach as high as $25,000 in a calendar year. However, Campanelli emphasized that such fines will be reserved for cases in which a covered entity does not make a "good faith" effort to correct a violation. More serious penalties, including imprisonment, could result from criminal offenses of the law, such as selling protected health information.

Campanelli said the revisions to the privacy rule, released on Aug. 14, attempted to "improve the workability of the rule" by making patient consent voluntary instead of mandatory, clarifying the rules for marketing uses of health information, and permitting individual uses and disclosure with certain safeguards.

Despite these changes, many questions remained among attendees about exactly how to proceed with crafting privacy policies. In response to a question from a Medicaid health maintenance organization director about how to write a privacy policy notification that could be understood by someone with a fourth-grade reading ability, Campanelli conceded the task was a challenge. "There is a lot of complicated stuff to reduce into a notice," he said.

Fifth National HIPAA Summit. Presented Oct. 31, 2002.

Reviewed by Gary D. Vogin, MD


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.