[ Wednesday, September 17, 2003 ]
I wasn't there (I was giving a HIPAA speech myself in Plano, Texas), but the Seventh Annual National HIPAA Summit occurred in Baltimore
over the last few days. In addition to more information on the upcoming "train wreck" and contingency plans by CMS and others, one of the OCR advisors for HIPAA policy did speak and gave an update on what's happening on the complaint front.
To date, OCR has received more than 1800 complaints, at a rate of 75-100 per week. The most common complaints involve disclosure of PHI by a plan or provider, but many involve denial of access or improper safeguards, such as the calling out of patient names in pharmacies and waiting rooms or the use of unprotected sign-in sheets. Some of these complaints aren't really HIPAA violations, or might not be. Many complaints occur when the patient discovers that other people know about his or her medical condition, and where that information becomes "the talk" of the workplace.
About one-third of the complaints are dismissed by OCR for lack of jurisdiction. Many of these complaints are leveled against employers (where employees talk about an individual's medical condition) or are complaints that a provider refused to give information to a spouse or parent of a patient, instances where the provider could have provided the information but was not required to do so; in those cases, OCR will often let the provider know that it would have been OK to release the information, and that the provider is being overcautious.
OCR has not levied any civil fines yet, and they say that they are committed to making the enforcement process collaborative and cooperational. However, OCR has forwarded some complaints on to the Department of Justice for criminal investigation
. These are the really bad cases, they say; I would hope so. Especially since OCR jumped right over civil penalties and are heading straight for criminal liability.
Jeff [9:45 AM]
Blogger: HIPAA Blog - Edit your Template