Medicare Compliance & Reimbursement

HIPAA:

Redouble Privacy Rule Efforts--Or Risk Fines, Lawsuits

Health systems struggle to comply, survey suggests.

Many health care providers' policies relating to the Health Insurance Portability and Accountability Act's privacy rule may be sitting on a back burner--and providers could wind up getting burned.

The drop in the number of facilities reporting themselves to be fully or mostly compliant with HIPAA should serve as a warning that compliance should not be taken for granted, Theresa Reynolds of the American Health Information Management Association tells Eli.

The percentage of healthcare privacy officers and others whose jobs relate to HIPAA privacy who believe their institution is more than 85 percent compliant dropped to 85 percent in 2006, down from 91 percent in 2005. As a result, the percent of privacy officers who believe they are less than 85 percent compliant increased from 9 percent in 2005 to 15 percent in 2006.

The news of the drop in compliance comes on the heels of the final HIPAA enforcement rule, which the feds published on Feb. 16. Through the rule, the Department of Health and Human Services spells out policies for imposing civil monetary penalties for violations of the HIPAA Privacy and Security Rules.

Providers should evaluate their compliance with the new regulatory requirements on an ongoing basis, advises Martie Ross, an attorney with Foulston Siefkin LLC in Wichita, KS.

Allocate Resources Wisely

Most respondents on the AHIMA survey--55 percent--cited a lack of sufficient resources as the most significant barrier to full privacy compliance.

Respondents report sensing a loss of support from senior management, both in ensuring facility staff is aware of the need for privacy as well as ensuring sufficient budgeting for continued education and training.

Money providers spent on compliance should pay off quickly, Ross says.

The U.S. Office of Civil Rights, charged with enforcing the privacy rule, can levy penalties of $100 for each violation, up to a maximum of $25,000 for identical violations in the same calendar year.

In addition to the possibility of civil money penalties and criminal charges, HIPAA violations may form the basis for private causes of action against covered entities, Ross advises.

When asked about patient privacy concerns, 30 percent of the AHIMA survey respondents said they encountered more questions from consumers this year over last. In addition, 22 percent reported an increase in the number of patients who refused to sign release of information forms.

Providers need to play a role in educating consumers regarding the protection of their personal health information.

For a copy of the report, "State of HIPAA Privacy and Security Compliance 2006," visit AHIMA's Web site at
www.ahima.org/emerging_issues/2006StateofHIPAACompliance.pdf.