HIPAA survey finds low compliance, patient concerns
By Steven E. Fisher, MBA
The Health Insurance Portability and Accountability Act (HIPAA) has been hailed as one of the most significant pieces of legislation affecting health care organizations and institutions since the creation of the Medicare program. The HIPAA Privacy Rules, which were finalized in 2002, created national standards to protect patients’ medical records and other personal health information.
The Privacy Rules also give patients more control over their health data and limit the way that physicians, including orthopaedic surgeons, may use the information and release it to third parties. Finally, the regulations set up guidelines that doctors must follow to protect the privacy of their patients’ “protected health information” (PHI), and hold them accountable for violations. Covered entities, including virtually all orthopaedic offices, were supposed to be in compliance with the privacy rules by April 14, 2003.
The fines for noncompliance are substantial. The Office for Civil Rights (OCR) in the Department of Health and Human Services (DHHS) may impose civil fines of up to $100 for each violation with a cap of $25,000 per year for unintentional breaches. The Department of Justice (DOJ), however, may impose criminal penalties—including prison time—for intentional violations.
Medical practices, including orthopaedic offices, have spent a great deal of time and money attempting to achieve compliance with HIPAA’s various regulations. More information on key areas of compliance can be found in the AAOS online Practice Management Center.
The AHIMA survey
Since the last survey in 2005, fewer hospitals and health care facilities reported they were at least 85 percent compliant with the privacy regulations. The percentage reporting 85 percent or more compliance fell from 91 percent in 2005 to 85 percent in 2006. The percentage of respondents who believed they were less than 85 percent compliant increased from 9 percent in 2005 to 15 percent in 2006. More than half of the responding institutions reported that “resources” are the most significant barrier to full privacy compliance.
On the positive side, the study did conclude that after three years, most providers are becoming accustomed to the various provisions of the Privacy Rules. It stated, however, that “there are still reports of difficulties with a select few requirements, notably accounting for disclosures.”
Second, patient concerns regarding the privacy of their health records are continuing to increase and a growing number are refusing to sign forms permitting the release of their records. In the 2006 survey, 22 percent of respondents reported encountering more patients who refused to sign such forms, and 30 percent said they were encountering more questions from patients regarding the privacy of their records. Interestingly, respondents from smaller health care facilities were more likely to say that privacy concerns were not an issue for their patients.
Implications for orthopaedic practices
Traditionally, medical practices have had lower levels of compliance with HIPAA than hospitals have had. Among the reasons for this may be limited resources and resistance to perceived overregulation. But if other surveys report similar findings, the government may abandon its current practice of simply encouraging compliance on the part of covered entities and aggressively start to impose civil penalties and criminal sanctions. Orthopaedic practices should prepare for this eventuality by being sure they are compliant with all HIPAA regulations, including the Privacy Rules. For more information, see the articles in the online Practice Management Center (member login required).
If patients at health care institutions are refusing to sign release forms, patients in medical practices are likely to start doing the same thing, even if this trend has not yet been documented. This could have two major implications for orthopaedists.
First, orthopaedists and their staff will have to dedicate more time and resources to educating patients about the privacy regulations, so that the patients can make informed decisions on releasing their records. This will be particularly important for academic practices involved in conducting medical research.
Second, offices will need to carefully document any disclosures to third parties.
Steven E. Fisher, MBA, is manager of the practice management group in the AAOS department of electronic media, evaluation and course operations. He can be reached at (847) 384-4331 or firstname.lastname@example.org