1. HIPAA privacy compliance "significant"
Reflecting one year after the HIPAA privacy regulations required compliance from most "covered entities," a survey by the American Health Information Management Association finds that most have achieved "significant compliance."
The February survey found the two most common overall problems to be lack of standardized processes for release of Protected Health Information (PHI), and public access to records.
The most current reported problems include: accounting for release of PHI; obtaining PHI from other providers; access and release of information to relatives or significant others; and complying with business associate provisions.
Previous to the regulations going into effect, the health care industry had expressed concern over the ramifications of HIPAA's preemption of less-stringent state privacy laws. Despite this, fifty-one percent of all respondents indicated that their facilities request the consent of patients before disclosing PHI for treatment, payment or health care operations, even though neither HIPAA nor most state law requires consent in these instances.
More than half of the 1,192 industry respondents indicated that implementation required some type of electronic software or application systems upgrade. Overall, eighty-one percent of all respondents were supportive of the changes that their organization had made in order to comply with HIPAA.
2. HIPAA criminal enforcement starts
On Nov. 5, 2004, Richard W. Gibson was sentenced to 16 months in prison, three years of supervised release, and more than $9,000 in restitution for wrongful disclosure of individually identifiable health information for economic gain under HIPAA. Gibson, an employee of the Seattle Cancer Care alliance, admitted that he obtained a cancer patient's name, date of birth, and social security number while employed at the center to acquire four credit cards in the patient's name and rack up more than $9,000 in debt. The judge called the identity theft a "vicious attack on someone fighting for his life" and went above the prosecutor's recommended sentence of 12 months and sentenced Gibson to 16 months in prison.
This case represents the first ever criminal conviction under HIPAA's privacy protections. Under the criminal provisions of HIPAA, a "person" who "knowingly uses or causes to be used a unique health identifier; obtains individually identifiable health information relating to an individual; or discloses individually identifiable health information to another person," can be punished. Interestingly, Gibson was not himself a "covered entity" under HIPAA; rather he was an employee of a covered entity. Thus, this case sends a signal that the federal government may seek to pursue even non-covered entities such as employees of covered entities for criminal prosecution, even though HIPAA arguably does not apply directly to them.
3. PhRMA calls for full disclosure of drug study results
The Pharmaceutical Research and Manufacturers of America (PhRMA), the powerful drug industry lobby group, adopted updated principles for the conduct of clinical trials and the communication of the results on June 30, 2004. Among other provisions, the voluntary principles ask PhRMA companies to fully disclose results of all drug studies, not just those that support their products. Specifically, members are to "commit to the timely communication to the public of all meaningful results of clinical trials, whether those results are positive or negative."
These standards are a response to criticism from the AMA, medical journal editors, patients' groups and members of Congress, that drug companies suppress negative trial results to prevent a loss in product sales. Disclosure of drug study results has been a growing public concern, particularly so in the past months following allegations that drug companies had not published results of tests of antidepressant drugs that showed the drugs were ineffective in children and possibly could trigger suicide.
The principles are retroactively effective for trials begun after Oct. 1, 2002.
Content provided by: Office of the General Counsel