RC: One key obligation is that physicians and other direct care providers must notify patients about their privacy practices and the patients’ protections under the privacy rule. This notice should explain how the office may use or disclose information about the patient and the patient’s rights and protections under the privacy rule. The rule also requires direct health care providers to make a good faith effort to obtain the patient’s written acknowledgement that he or she received the notice.

In addition, providers must have written privacy procedures that explain their policies and practices. They need to train their employees in these privacy practices and designate someone as their privacy officer. They also will need to secure patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Much of this is common sense. Most physicians probably already took many of these kinds of steps to protect the confidentiality of their patients’ medical information. The rule may require a more systematic approach for physicians and others to think about how they protect patient privacy and how consumers are affected.

One important point is that we set up the privacy rule with the understanding that physicians practice in a wide range of settings, from solo practitioners to large group practices. We’ve intentionally made the privacy rule flexible and scalable, so that physicians and other covered entities can choose the best way to meet the rule’s requirements for their particular circumstances. For example, a small physician’s office may designate the office manager as their privacy officer in addition to his or her other duties, while a big health plan or large teaching hospital may hire someone full-time in that capacity.

RC: Those deadlines actually involve two separate regulations under HIPAA’s Administrative Simplification requirements. The April 14 date is when most covered entities must comply with the privacy regulations. Small health plans have an additional year to comply, as required by Congress. Generally, doctor’s offices and other direct-care providers should present their patients with their notice of privacy practices on the first treatment encounter after the April 14 compliance deadline. The rule requires that they make a good-faith effort to obtain the patient’s written acknowledgement that they received the notice. A doctor’s office might ask patients to sign or initial a document indicating that they received the notice. If a patient refuses to provide a written acknowledgement, the doctor’s office could make a notation in the chart noting that the patient refused the request.

The October 16 date is the deadline for covered entities to comply with HIPAA’s electronic transaction standards, which ultimately will make it easier for physicians and other health care providers to conduct business electronically. These national standards will be the same for all covered entities, so physicians’ offices will no longer need to use different formats to file claims with different insurers. While the HHS Office for Civil Rights oversees implementation of, and compliance with the Privacy Rule, the Centers for Medicare & Medicaid Services, which is another part of HHS, is responsible for overseeing implementation of and compliance with the transaction standards.

RC: No, there is not a need to keep a written accounting or log for most routine disclosures, that is, disclosures needed for the purposes of treatment, payment and health care operations. The rule also carves out other exceptions to the accounting requirements, such as for disclosures to the individual and for disclosures that the individual has specifically authorized. An accounting is required for most other disclosures, such as disclosures made to public health agencies, certain disclosures to researchers, and for other specific public purposes permitted by the rule. Of course, an accounting only has to be provided if the individual requests it. More detailed information about the accounting requirement is found in the rule itself.

RC: The Office for Civil Rights is responsible for enforcement of the privacy rule. These efforts will be primarily complaint-driven. We will look into and investigate complaints and work to make sure that consumers are receiving their privacy rights and protections under the rule. As we do this, we will continue to encourage voluntary compliance. Most covered entities will move quickly to correct any potential problem once it is brought to their attention. That is best for the consumer, since it is the quickest path to ensuring they get the rights and protections that the rule provides.

Of course, we have available to us all the enforcement options under HIPAA, including civil monetary penalties, and we will use them as and when necessary to ensure protection of the privacy of personal health information.

RC: Congress itself established civil and criminal penalties for covered entities that misuse personal health information. For civil violations of the standards, OCR may impose monetary penalties up to $100 per violation, up to $25,000 per year, for each requirement or prohibition violated. Obviously, we are able to use our discretion depending on the circumstances of each situation to determine whether and if a penalty is appropriate. Probably the best specific advice I could give to doctors on ways to minimize their risks is to make sure that they carefully consider their privacy practices and take reasonable safeguards to protect the confidentiality of their patients’ personal medical information. Moreover, doctors should promptly correct any mistakes brought to their attention. HIPAA itself provides that fines can be reduced if excessive, compared to the violation, and permits penalties to be avoided entirely if the person reasonably was unaware of the violation, and took steps to cure the problem within 30 days of when he or she knew, or should have known, about it.

Potential criminal violations of the law would be referred to the U.S. Department of Justice for further investigation and appropriate action. In general, these criminal violations only involve knowing violations of the rule that result in disclosure of individual health information. The most severe penalties are reserved for willful misconduct, such as obtaining protected information under false pretenses or with the intent to sell, transfer or use protected information for commercial advantage, personal gain or malicious harm. Criminal violations could involve substantially higher fines and even jail time.