The HIPAA privacy rule: A decade of enforcement
In April 2003, the U.S. Department of Health and Human Services, or HHS, Office for Civil Rights, or OCR, began enforcing the Health Insurance Portability and Accountability Act, commonly known as HIPAA. Now, a decade later, we can look at how the rule is being applied.
Facts and figures
As of press time, HHS had received a total of almost 80,000 HIPAA complaints. Of those, more than 44,000 were dismissed, more than 19,000 were investigated and resolved with changes to privacy practice, and more than 9,000 were investigated and no violation was found. Investigations were conducted against many types of entities, including national pharmacy chains, major medical centers, group health plans, hospitals and small provider offices. According to HHS, private medical practices were the ones most often required to take corrective action as a result of enforcement, followed by general hospitals. With the exception of 2009, HIPAA complaints have been increasing annually. In 2011, there were more than 9,000 complaints received.
According to HHS, the compliance issues investigated most frequently are, in order:
- Impermissible use and disclosure of protected health information;
- Lack of safeguards for protected health information;
- Lack of patient access to their own protected health information;
- Use or disclosure of more than the minimum necessary protected health information; and,
- Lack of administrative safeguards of electronic protected health information.
Typically, complaints are resolved by the covered entity (i.e., hospital, pharmacy, health plan or medical practice) instituting new procedures to ensure patient privacy, training or retraining staff, censuring or dismissing staff, and making policy changes to protect electronic data. Often settlements also include monetary payments. Some recent examples of enforcement actions include the following:
- A grocery store-based pharmacy chain kept its pseudoephedrine log books, which contained protected health information, in such a way that the protected information was visible to the public at the pharmacy counter. The pharmacy chain was required to implement national policies and procedures to safeguard the information in the log books and to train all staff on the new policy.
- A pharmacy employee placed a patient’s insurance card in another patient’s prescription bag. OCR held that insurance cards contain protected health information and need to be safeguarded. The pharmacy was required to revise its policies and retrain its staff.
- A nurse and orderly in a state hospital discussed the HIV/AIDS status of a patient and patient’s spouse within earshot of other patients without making any effort to prevent the disclosure. Both employees were put on leave, disciplined, given a year of probation, referred for peer review and given more HIPAA privacy training. A monetary settlement was given to the patient.
- A nurse practitioner working in a multi-hospital healthcare system impermissibly accessed the medical records of her ex-husband. The health system terminated the nurse practitioner’s access to the electronic records system, reported her conduct to the licensing authority and provided her with remedial privacy rule training.
Use caution with personal health information
To avoid HIPAA privacy issues, it’s wise to treat patient records as you would want your own private records treated. In other words:
- Don’t share private information unless necessary;
- Properly safeguard electronic records;
- Don’t access records for patients who you are not actively treating; and
- Don’t casually talk about patients in front of other patients or customers.
Stay tuned for the next law column, which will cover frequently asked questions about the HIPAA privacy rule.
Ann W. Latner, JD, a former criminal defense attorney, is a freelance medical writer in Port Washington, N.Y.
Avandia could remain available following FDA advisory committee vote
PHILADELPHIA — A joint Food and Drug Administration expert panel voted to recommend keeping a controversial GlaxoSmithKline diabetes drug available for certain patients, GSK said.
The drug maker said that in a vote on the drug Avandia (rosiglitazone), a majority of the FDA’s Endocrinologic and Metabolic Drugs Advisory Committee and Drug Safety and Risk Management Advisory Committee members — 13 and seven, respectively — voted to modify or remove the drug’s safety protocol, known as a risk evaluation and mitigation strategy, or REMS. REMS are used for drugs that are approved by the FDA but may pose a safety risk to patients. Five members voted to keep the REMS, while one voted to remove Avandia from the market.
The vote was based on a reevaluation of GSK’s 2009 RECORD study, and the FDA will take it into consideration when it decides whether or not to maintain the current safety protocol for Avandia, which will continue to be available through the REMS program. The second analysis of the RECORD study indicated Avandia may not carry higher risk of heart attacks than other diabetes medications.
"We appreciate the committee’s thorough examination of the RECORD results and will continue to work with the FDA as it considers the recommendations of the committee," GSK chief medical officer James Shannon said. "We continue to believe that Avandia is a safe and effective treatment option for Type 2 diabetes when used for the appropriate patient and in accordance with labeling."
The controversy surrounding Avandia goes back to 2010, when the FDA moved to significantly restrict access to the drug — once a top-selling Type 2 diabetes drug on the market — in response to a 2007 study suggesting its use could increase the risk of heart attacks and strokes. The drug was made available only to patients if they could not control their blood-sugar levels with Takeda’s Actos (pioglitazone), a drug that belongs to the same class as Avandia. Meanwhile, regulators in the European Union banned the drug altogether.
In January 2011, GSK took a legal charge of $3.4 billion related to an investigation by the U.S. Attorney’s Office for the District of Colorado alleging that it continued selling and promoting the drug in spite of reports of its cardiovascular risks, and the drug’s labeling was revised a month later. In November 2011, Avandia was pulled from retail pharmacy shelves and made available only by mail order from specially certified pharmacies.
Study measures efficacy of lice remedies
Head lice have long been the scourge of schoolchildren and their families. In the United States, the Centers for Disease Control and Prevention estimates that 6 million to 12 million lice infestations occur each year among children ages 3 to 11 years. Lice can spread quickly through direct contact with the hair of a person who had them — though personal hygiene, cleanliness of the home or school, and sharing of clothing and personal items is not usually the cause. (Lice are less common among African-Americans, which may be because of the shape and width of African-Americans’ hair, according to the CDC.)
If the ease by which they spread isn’t bad enough, there’s also growing concern that lice could become resistant to over-the-counter medicines used to kill them. A recent study, funded by skin treatments maker Tec Labs and published in the journal Pharmacology & Pharmacy, compared two treatments for head lice: sodium chloride spray in the 1% strength and the current, recommended treatment 1% permethrin crème rinse.
Though the brand has been on the market for 15 years, “this is the first clinical trial we’ve done on any Licefreee-branded product,” a Tec Labs spokesman told DSN Collaborative Care. Tec Labs markets sodium chloride 1% under the brand name Licefreee Spray, and also markets the treatment in gel and shampoo forms.
The study enrolled 42 treatment subjects, ages 4 years and older, who were diagnosed as having an active head lice infestation, defined as having at least 10 live lice found during a screening. They were then divided into two groups of 21, one of which received sodium chloride spray, while the other received permethrin. Treatment was administered over a course of 15 days, with administration on the first and eighth days and checkups on the first, eighth and 15th days. Only those found with live lice using the same products and protocols as on the first day were given a second administration on the eighth day.