HIMSS coverage: All rise, HIPAA court is now in session

February 10, 2003

More and more patients and their attorneys are becoming aware of the regulations imposed on healthcare enterprises. And lawsuits based on health information privacy violations will become much more common, an audience at the Healthcare Information and

More and more patients and their attorneys are becoming aware of the regulations imposed on healthcare enterprises. And lawsuits based on health information privacy violations will become much more common, an audience at the Healthcare Information and Management Systems Society learned Monday.

"This trend has already begun," said Tracy Field, partner and chair of the Health Insurance and Portability Accountability Act task force at Arnall Golden Gregory in Atlanta.

Field predicted that healthcare businesses will also find themselves subject to other regulations that make noncompliance with HIPAA problematic on several levels.

"Given that more stringent state laws will preempt HIPAA, many states are passing new laws now to further protect their citizens' privacy," she said.

In Georgia, for example, a new identity theft law requires all businesses to shred or otherwise destroy discarded documents containing identifiable information. On the federal level, the Department of Health and Human Services has delegated enforcement authority for the Privacy Rule to the Office of Civil Rights (OCR).

"It's unclear how OCR will enforce HIPAA," Field said.

On April 14 - 60 days from now - all entities regulated by the Privacy Rule will need to cease practices that comply with preempted state laws. Instead, those covered entities must be in full compliance with the Privacy Rule's standards, and only those state laws that survive a HIPAA preemption analysis.

"Covered entities should draft a transition plan and develop a training mechanism to make all workforce members aware of expected policy and procedure changes," Field said.

If your compliance work is incomplete, Field suggested that you prioritize addressing the requirements so that your organization minimizes its chances of being cited for a violation:
? Appoint a Privacy Officer to receive questions and interact with governing bodies.
? Develop a Notice of Privacy Practices that describes to individuals how you will use and disclose their information. Distribute it to all staff members.
? Assess your security risks in order to know how likely it is that individually identifiable information may "leak" from your organization.
? Take a good look at how much information is used or disclosed for various activities. Begin immediately to establish a culture where the "minimum necessary" is the standard.

"Addressing these problems early minimizes the likelihood that a privacy complaint will be filed," Field said.