Federal appeals court: No private right of action to enforce HIPAA

Is there a private right of action to enforce HIPAA?  The answer is now more definitive than ever: No. 

This week, the Fifth Circuit Court of Appeals -- the first federal appeals court to decide this issue -- went along with every federal district court that has considered the issue (not to mention the regs themselves, which are pretty clear on the subject).  (See the decision here.  See HIPAA regs and more on OCR's HIPAA page here.)

Why has the plaintiff bar continued to assert a private right of action under HIPAA?  First of all, why not?  Throw it all against the wall and see what sticks. Second, if it were successful, it would bootstrap a state law claim into Federal court, which may be beneficial to the plaintiff.  (In Acara v. Banks, the 5th Circuit decision handed down November 13, the remaining state law claims were dismissed because there was no diversity jurisdiction.)  Third, from a broader perspective, one function of the private lawsuit is to effect social change.

Now that the government seems poised to actually enforce HIPAA, the third reason may go by the boards (I know, I know . . . we still need to wait and see).  If enforcement is truly stepped up for the benefit of the public, perhaps the plaintiff bar can make peace with its inability to rely on the first two reasons for pursuing the private right of action. 

In any event, those within the community of "covered entities" under HIPAA need to get with the program and come into full compliance, and I have seen a renewed interest in HIPAA compliance audits of late.

-- David Harlow

Survey says . . . HIPAA compliance not where it ought to be

HIMSS and Phoenix Health Systems recently released results of their latest semi-annual HIPAA compliance survey. 

Though the deadline for compliance with the HIPAA Security Rule passed over a year ago, 80% of payers and only 56% of providers who responded to the US Healthcare Industry HIPAA Summer 2006 Survey have implemented the Security standards. 

On the privacy front:

• A substantial percentage of Providers (22%) and Payers (13%) remain non-compliant with the Privacy regulations. These results are consistent with findings in all preceding Surveys since 2004, suggesting that a core group of covered entities either cannot or will not implement the Privacy standards.
• Even among “compliant” organizations, significant implementation gaps remain in certain areas, including establishing Business Associate Agreements, monitoring internal Privacy compliance, and maintaining ”minimum necessary” information disclosure restrictions.
• The percentage of reportedly compliant Provider organizations that has experienced privacy breaches decreased from January 2006, from 60% to 52%. Reportedly non-compliant Providers experienced more privacy breaches (64%) than compliant Providers, consistent with January 2006 Survey findings.

See the press release or the full report for more details.

Payors and providers got a free pass for a while on HIPAA compliance; the new enforcement rule effective in March was supposed to change all that.  Law.com published an article with compliance pointers in August, but a number of commentators have observed a paucity of enforcement efforts.

For example, Rebecca Herold, at The IT Compliance Conversation blog notes:

Instead of clarifying compliance enforcement issues for covered entities (CEs), the Enforcement Rule has seemed to confuse and mislead many CEs into believing that they really don't need to do much with regard to HIPAA compliance unless the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) or the Centers for Medicare and Medicaid Services (CMS) come knocking at their door and tell them they specifically need to do something.

(That post includes a link to a podcast on this topic as well.)

Payors and providers should move to come into full HIPAA compliance before the government decides to allow for a private right of action -- i.e., lawsuits filed by individuals alleging harm caused by a HIPAA violation and claiming damages.

GAO finds CMS data security practices wanting

A GAO report made public yesterday finds that Medicare patient data transmission is insecure.  The AP/Washington Post story on the report says:

Security weaknesses have left millions of elderly, disabled and poor Americans vulnerable to unauthorized disclosure of their medical and other personal records, federal investigators said yesterday.

The Government Accountability Office said it found 47 weaknesses in the computer system used by the Centers for Medicare and Medicaid Services to send and receive bills and to communicate with health-care providers.

The agency oversees health-care programs that benefit one in four Americans. Its data are transmitted through a computer network that is privately owned and operated.

The CMS did not always ensure that its contractor followed the agency's security policies and standards, according to the GAO.

"As a result, sensitive, personally identifiable medical data traversing this network are vulnerable to unauthorized disclosure," the federal investigators said.

CMS's response stated that there had been no actual security breaches, and also noted (p. 12 of the report):

CMS has moved aggressively to implement corrective actions for the reported weaknesses and that corrective action or new compensating controls had already been completed for 22 of the 47 weaknesses. An additional 19 weaknesses are scheduled for closure. The remaining six weaknesses are under review to determine what additional resources are needed and their financial impact.

This comes on the heels of another GAO report which highlighted privacy breaches among subcontractors administering aspects of Medicare, TRICARE and Medicaid programs, the lack of consistent reporting mechanisms and the fact that some data was stored offshore, potentially beyond the reach of HIPAA enforcement.

We all know that reliance on digitized data and the global economy has created these potential problems.  The GAO reminds us that a little extra vigilance will go a long way towards ensuring that we do not lose control over access to sensitive data.   

Does HIPAA work?

Development of a National Health Information Network (NHIN) -- a uniform system of electronic health record architecture and interoperability -- has been underway for a year or so under contracts awarded by U.S. HHS (see, e.g., last November's award), and progress is monitored and reported through the National Committee on Vital and Health Statistics (NCVHS).

As AISHealth.com reports this week:

Mark Rothstein, the influential privacy subcommittee chairman of [NCVHS] which provides guidance to HHS on implementation of the privacy regulation, sees the new [NHIN] as an opportunity to "rethink everything" related to the privacy rule.

In his recent report to HHS Secretary Mike Leavitt, Rothstein summarized testimony received over an 18-month period and made recommendations which confirm that he doesn't think HIPAA is doing a very good job of maintaining confidentiality of PHI, a concern that is appropriately heightened in the face of the expansion of the use of EHR.  I think it's worth listing all of his recommendations, just to get a sense of the scope of the issues highlighted by NCVHS as we come closer to having nearly ubiquitous EHR systems -- whether through the eventual rollout of the NHIN or through the nearer-term development of various private EHR systems:

1.	The method by which personal health information is stored by health care providers should be left to the health care providers.

2.	Individuals should have the right to decide whether they want to have their personally identifiable electronic health records accessible via the NHIN. This recommendation is not intended to disturb traditional principles of public health reporting or other established legal requirements that might or might not be achieved via NHIN.
3.	Providers should not be able to condition treatment on an individual's agreement to have his or her health records accessible via the NHIN.
4.	HHS should monitor the development of opt-in/opt-out approaches; consider local, regional, and provider variations; collect evidence on the health, economic, social, and other implications; and continue to evaluate in an open, transparent, and public process, whether a national policy on opt-in or opt-out is appropriate.
5.	HHS should require that individuals be provided with understandable and culturally sensitive information and education to ensure that they realize the implications of their decisions as to whether to participate in the NHIN.

6.	HHS should assess the desirability and feasibility of allowing individuals to control access to the specific content of their health records via the NHIN, and, if so, by what appropriate means. Decisions about whether individuals should have this right should be based on an open, transparent, and public process.
7.	If individuals are given the right to control access to the specific content of their health records via the NHIN, the right should be limited, such as by being based on the age of the information, the nature of the condition or treatment, or the type of provider.

8.	Role-based access should be employed as a means to limit the personal health information accessible via the NHIN and its components.
9.	HHS should investigate the feasibility of applying contextual access criteria to EHRs and the NHIN, enabling personal information disclosed beyond the health care setting on the basis of an authorization to be limited to the information reasonably necessary to achieve the purpose of the disclosure.
10.	HHS should support research and technology to develop contextual access criteria appropriate for application to EHRs and inclusion in the architecture of the NHIN.
11.	HHS should convene or support efforts to convene a diversity of interested parties to design, define, and develop role-based access criteria and contextual access criteria appropriate for application to EHRs and the NHIN.

12.	HHS should work with other federal agencies and the Congress to ensure that privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit, or use personal health information in any form and in any setting, including employers, insurers, financial institutions, commercial data providers, application service providers, and schools.
13.	HHS should explore ways to preserve some degree of state variation in health privacy law without losing systemic interoperability and essential protections for privacy and confidentiality.
14.	HHS should harmonize the rules governing the NHIN with the HIPAA Privacy Rule, as well as other relevant federal regulations, including those regulating substance abuse treatment records.

15.	HHS should incorporate fair information practices into the architecture of the NHIN.
16.	HHS should use an open, transparent, and public process for developing the rules applicable to the NHIN, and it should solicit the active participation of affected individuals, groups, and organizations, including medically vulnerable and minority populations.

17.	HHS should develop a set of strong enforcement measures that produces high levels of compliance with the rules applicable to the NHIN on the part of custodians of personal health information, but does not impose an excessive level of complexity or cost.
18.	HHS should ensure that policies requiring a high level of compliance are built into the architecture of the NHIN.
19.	HHS should adopt a rule providing that continued participation in the NHIN by an organization is contingent on compliance with the NHIN's privacy, confidentiality, and security rules.
20.	HHS should ensure that appropriate penalties be imposed for egregious privacy, confidentiality, or security violations committed by any individual or entity.
21.	HHS should seek to ensure through legislative, regulatory, or other means that individuals whose privacy, confidentiality, or security is breached are entitled to reasonable compensation.

22.	HHS should support legislative or regulatory measures to eliminate or reduce as much as possible the potential harmful discriminatory effects of personal health information disclosure.

23.	NCVHS endorses strong enforcement of the HIPAA Privacy Rule with regard to business associates, and, if necessary, HHS should amend the Rule to increase the responsibility of covered entities to control the privacy, confidentiality, and security practices of business associates.

24.	Public and professional education should be a top priority for HHS and all other entities of the NHIN.
25.	Meaningful numbers of consumers should be appointed to serve on all national, regional, and local boards governing the NHIN.
26.	HHS should establish and support ongoing research to assess the effectiveness and public confidence in the privacy, confidentiality, and security of the NHIN and its components.