Judging from the repetitive nature of audience queries at each session, there were essentially two questions on the minds of the hundreds of attendees at the recent Health Insurance Portability and Accountability Act (HIPAA) Implementation Forum, sponsored by the Health Care Compliance Association (HCCA) and Advancing Health in America: How severe will the punishment be for noncompliance with the HIPAA privacy rule; and will the rule lead to a deluge of patient complaints and new lawsuits?

And while the keynote speakers and other session leaders at the conference, held in San Diego, on December 10-11, did not dispel these fears completely, they did provide comprehensive education about the rule and specific strategies to ensure successful integration of HIPAA compliance into existing programs.

The goals of the 2-day forum were to initiate dialogue on best practices of compliance by presenting case studies; develop benchmarks from which participants could evaluate compliance efforts; and help attendees identify strategies for working with key departments such as medical records, information services, nursing, billing, and registration to integrate compliance training, implementation, and monitoring.

REGULATOR CALMS ENFORCEMENT FEARS

The conference's first speaker, Alex Azar, general counsel of the US Department of Health and Human Services (HHS), offered a federal regulator's perspective on privacy. "This is a system of privacy regulation that is based on common sense," Azar said of the rule.

Among other topics, he addressed the recent Research Provision modifications, which were published in August. "We heard a lot of complaints from people that the original provision was too complex," he said. "The original eight criteria were called confusing and redundant. We have streamlined these criteria, and also eliminated certain requirements." In particular, the research modifications now include a single set of requirements that apply to all types of authorizations, including those for research purposes. This eliminates the specific provisions for authorizations for uses and disclosures of protected health information created for research that includes treatment of the individual. As a result, an authorization for such research does not require any additional elements above and beyond those required for authorizations in general.

Also, Azar said the requirement that there be an expiration date on research authorizations has been modified, stemming from complaints that the particular end date of a research study may not have been known under the previous regulation.

Azar also acknowledged that the health care industry "needs these research rules. Without them, the voluntary flow of information for research will dry up."

Azar's response to the numerous questions about enforcement sought to reassure attendees. "We are not going to have auditors sweeping down on hospitals and health care groups. It will be entirely a complaint-driven process," he said. "As an organization, we have limited resources, too. We will prioritize the enforcement. Complaints have to be well founded."

In direct response to a question about civil monetary penalties, Azar said, "This won't be a game of gotcha!' The providers who will have to worry are the ones with their heads in the sand on HIPAA, the ones that haven't read the rule." In addition, Azar said that the HHS intends to defer to states' authority as much as possible, and that the HHS Secretary has the authority to waive or reduce penalties.

OCR MANAGER ADDRESSES ENFORCEMENT

Azar's address was followed by an "Enforcement Perspective on HIPAA," led by Ira Pollock, JD, regional manager for the Office of Civil Rights (OCR), US Department of Health and Human Services, San Francisco.

Like Azar, Pollock tried to reassure attendees that enforcement should not be feared. "Historically, most complaints to our organization have been informally resolved. We really stress voluntary compliance," he said. However, his address went on to clearly spell out the consequences of noncompliance. Among his key points:

• The privacy rule will be enforced by complaints filed by patients who believe they have been discriminated against. OCR will look at compliance reviews from tips, and review any program that receives HHS funds.
• Complaints must be filed within 180 days of an incident.
• Complaints must be in writing.
• OCR has "delegation of authority to enforce the rule," and to impose civil monetary penalties.
• Organizations are required to permit access without notice to their facilities, as well as access to the appropriate books, records, and anything pertinent to compliance.
• "We will inform the covered entity if investigation indicates a failure to comply. We will notify you in writing and seek informal resolution. If it can't be resolved, the OCR will issue written findings," said Pollack.
• After that, there is a penalty of $100 per violation, with a $25,000 cap for each calendar year.
• However, the Department of Justice can impose up to $50,000 in fines and 1 year in jail for knowingly obtaining or disclosing information.

SESSIONS OFFER STRATEGIES

The remainder of the conference consisted of various breakout sessions devoted to strategies for full compliance, including business associate strategies, HIPAA and research issues, and privacy and security issues.

A session entitled "Business Associates Strategies," led by Judy Noon, principal for Deloitte & Touche, Portland, Ore, and Linda Malek, partner with Moses & Singer, New York, was devoted to how health care organizations can deal with business associates within the HIPAA framework. Among the main points touched on by Noon and Malek:

• A "covered entity" may be a business associate of another covered entity.
• A covered entity may not disclose protected health information to a business associate without a written contract.
• A covered entity retains liability if that entity knew of a violation by a business associate. The covered entity must also have substantial and credible evidence of a violation.
• If an entity has knowledge of a violation of an agreement by a business associate, then it must take reasonable steps to cure the breach and, if not successful, must terminate the agreement or report the breach to the HHS Secretary.

The lecturers also presented assessments to identify business associates, and strategies to identify third parties that receive protected health information from an organization.

In addition, the final modifications to the privacy rule were presented. One such modification gives covered entities up to an additional year to amend existing contracts with business associates.

RESEARCH AND SECURITY

Among the other presentations at the forum, the most well-attended included a session on HIPAA and Research, a session on Privacy and Security, and a session on HIPAA web-based strategies. The first contained a detailed review of the sections of the rule related to research, as well as the research site's perspective on HIPAA implementation. Research requirements that were covered included this information:

• Covered entities must provide detailed notices of their privacy policies and practices to study participants.
• They must provide physical, technical, and administrative security.
• They must allow data subjects to access and correct protected health information about themselves.
• "The August 14, 2002, revisions are practical and appropriate and will reduce HIPAA's negative impact on research.

The Privacy and Security session, led by Alan S. Goldberg, a partner with Goulston & Storrs in Boston, described the likely offenses and best defenses when HIPAA enforcement starts. The session also presented the federal sentencing guidelines and corporate compliance programs in detail. Goldberg gave the following advice on what organizations should do to avoid civil HIPAA penalties:

• Use reasonable diligence to know as much as you can about HIPAA.
• Establish policies that evidence a reasonable approach to prevention.
• Avoid being neglectful or reckless.
• Try to cure breaches within 30 days.
• Ask for extensions if necessary.
• Seek technical advice if necessary.
• Document everything.

In addition, a HIPAA web-based strategies session, led by Evan Crawford, director of Internet strategies for the Children's Hospital of Philadelphia, gave attendees practical techniques for using the Web to reduce time, cost, and frustration during HIPAA implementation. "There are two specific regulations, privacy and security/electronic signatures, that require staff training," said Crawford. "Training can be done much quicker and easier through the Internet. One thing we did was to hire a consultant who helped us greatly expand our web-based services we offer to patients, doctors, and administrators. Essentially, training and support is what you should be looking into for employees."

Crawford suggested companies look into using web services concepts that introduce a single web-based model for transaction and security. Also discussed were strategies for leveraging HIPAA compliance to add value to e-health and e-commerce initiatives.

Ben Van Houten is associate editor of Decisions in Imaging Economics.