Much attention has been given lately to the fact that, although almost 23,000 HIPAA privacy-related complaints have been filed with the Department of Health and Human Services' Office of Civil Rights ("OCR") since the HIPAA Privacy Rule took effect in 2003, OCR has not yet imposed a single civil monetary penalty against a covered entity. HIPAA has been referred to as a "charade" and a "joke" by health privacy advocates. In response, Department of Health and Human Services officials have asserted that covered entities know that if they fail to comply with the informal means that OCR initially uses to address such complaints, then OCR is required by law to apply its civil monetary penalty enforcement authority. The mere threat of such sanctions, according to these officials, tends to induce cooperative behavior by health care providers against whom a complaint has been filed. Privacy officers who have received a letter from OCR regarding a HIPAA complaint can attest to this compelling effect.
But is enforcement by OCR the most effective mechanism for convincing covered entities that they need to ensure their workforce's compliance with HIPAA, or is consistent enforcement at the entity level more likely to produce compliance? Health care providers often dismiss compliance with new federal or state laws or regulations as unimportant or inapplicable to them, noting that they will start to worry when one of their peer organizations gets in trouble for violating a law or regulation. For example, a survey commissioned by the Healthcare Information and Management Systems Society ("HIMSS") in June 2005 revealed that a substantial number of providers remained out of compliance with the HIPAA Privacy Rule two years after the deadline. The survey revealed that 78% of responding providers were compliant with the HIPAA Privacy Rule. This number was basically unchanged from a similar HIMSS survey performed almost a year earlier. A statement released with the survey says that "the numbers infer little or no progress with a core group of non-compliant entities." The survey reported that the "biggest 'roadblocks' to compliance cited by the 383 survey respondents were 'no public relations or brand problems anticipated with noncompliance' and 'no anticipated legal consequences for noncompliance'."
Industry reaction to a recent news item regarding publicized sanctions imposed on employees who violated HIPAA may demonstrate that securing compliance does not depend upon who imposes sanctions, but upon the fact that meaningful sanctions are imposed. On September 26, 2006, Modern Healthcare's daily enewsletter, Health IT Strategist, published an item about a New York City hospital that implemented sanctions against members of its workforce for a series of HIPAA violations. Thirty-nine employees of Woodhull Medical and Mental Health Center were suspended for a period of 30 to 60 days without pay after an internal audit of electronic logs demonstrated that each individual inappropriately accessed the electronic medical records of Nixzmary Brown, a 7-year-old girl whose death earlier this year prompted an overhaul of the city's child-welfare system. The suspended employees included physicians and nurses, as well as other hospital staff. Each will be required to undergo additional training before returning to work and will be subject to termination if he or she commits a second violation. Since discovering the violations, the public hospital system that owns Woodhull has implemented periodic random reviews of patient records at each of its facilities to comply with privacy policies.
Those who criticize the current state of HIPAA enforcement may ask why, if privacy violations can be determined from electronic logs, did 39 violations occur with this single patient before action was taken against the employees. It is perhaps easier to criticize the hospital's speed in discovering the violation than to applaud it for actually having, and following, a policy on discipline for such violations. The fact is, HIPAA specifically requires covered entities to "have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity." 45 CFR § 164.530(e)(1). It further requires covered entities to "[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity." 45 CFR § 164.308(a)(1)(ii)(C). Accordingly, those covered entities who actually complied with HIPAA at the outset by implementing a compliance program in response to the requirements of the HIPAA Privacy and Security Rules also are required, as a necessary part of that program, to limit employees' access to patients' protected health information to the minimum amount necessary in order for employees to perform their jobs. 45 CFR § 164.502(b). They are further required to monitor audit logs of electronic information systems to ascertain whether violations of the minimum necessary rule are occurring. 45 CFR § 164.308(a)(1)(ii)(D). Only a very select few covered entities, however, actually have publicly admitted to implementing appropriate disciplinary action after a violation has been discovered and publicized.
Woodhull's actions may be seen as an example to other covered entities that HIPAA violations should not be tolerated, and that violators will be disciplined. We have observed at entities, like Woodhull, where action has been taken against members of the workforce who have violated HIPAA, that other members of the workforce report violations more promptly and appear to choose not to inappropriately access or release patients' protected health information. If more covered entities exercise greater leadership—and greater compliance with HIPAA's requirements—by consistently monitoring their workforce's compliance with HIPAA and imposing appropriate sanctions against violators, there will be less cry for sanctions to be imposed by OCR. If increased self-monitoring and sanctions do not occur, we may witness the adoption of the Commission on Systemic Interoperability's recommendations in its October 25, 2005 report, Ending the Document Game: Connecting and Transforming Your Healthcare Through Information Technology, one of which is to "authorize Federal criminal sanctions against individuals who intentionally access protected data without authorization." More federal criminal sanctions is definitely NOT what the health care industry needs.