WHAT TO EXPECT IN THE EVENT OF A
HIPAA PRIVACY RULE VIOLATION
Responsible Enforcement Agency.
The United States Department of Health
and Human Services, Office for Civil Rights, is responsible for enforcing the
privacy rule in the event of an alleged violation of
HIPAA’s national standards by a “covered entity,” including a medical
office. As such, the Office for Civil Rights may
conduct investigations of any registered complaints and/or initiate a
HIPAA privacy rule violations occurring in
a HIPAA Investigation
At this time, investigations usually are triggered by the receipt of a complaint by the Office for Civil Rights (OCR) alleging that your medical office is not in compliance with the federal standards for privacy of individually identifiable health information. The OCR Investigator is likely to make initial contract by telephone. The patient has the option to remain anonymous. Complaints can be filed either on paper or electronically and must be filed within 180 days of the alleged act of noncompliance. This 180 day period may be extended for “good cause,” a term undefined by OCR. OCR recommends using their complaint form. All complaints are given a transaction number.
We have found that the Investigator initially will not make available to you specific facts regarding the alleged violation but will only hint of the problem (ex. in the delivery of medical records, copies of a second patient’s records were attached). The absence of specific dates and patient names makes it difficult for the medical practice to effectively conduct its own investigation on the source of the problem and take prompt corrective action. OCR justifies its odd position by citing the absence of any HIPAA authorization or release from the affected patients. However, if you call the Investigator, the specific facts should be discussed with you.
The OCR Investigator expects that the medical practice will cooperate in the investigation and, where required, allow access to its facilities and records. Cooperation is recommended if the medical practice wishes to attempt to informally resolve the investigation. Involvement of legal counsel may be recommended at this stage, particularly if disclosure of facts relating to the alleged HIPAA violation is limited. OCR will request documentation from your office showing your compliance with HIPAA. A covered entity will be required to submit its Privacy Notice, at a minimum, and any documents related to the alleged HIPAA violation. For example, if there was an unauthorized disclosure of Protected Health Information (PHI) as a result of a request for medical records, the covered entity will be asked to provide its Privacy Notice, its procedures for filling requests for records and safeguards implemented to protect PHI.
Your medical office may respond to any
allegation of a HIPAA violation, submit evidence that the event did not take
place as described, dispute the existence of a violation, contest the
applicability of HIPAA, describe proposed corrective actions, or indicate that
prompt and effective action has already been taken to correct the noncompliance.
A successful resolution of the matter at this early stage will avoid
formal enforcement action and the possible imposition of civil money penalties.
In addition, if OCR determines that the violation was willful, the case can be referred to the Department of Justice (DOJ) for a criminal investigation. This can result in a fine and/or imprisonment. However, OCR does not have a procedure in place at this time for the referral of cases to the DOJ.
EMPLOYEE OR INDEPENDENT CONTRACTOR?
Some medical practices choose to retain physicians as independent contractors
rather than employees. The decision to retain a
physician as an independent contractor poses some risks, including the risk that
the Internal Revenue Service will re-characterize the arrangement as an
employer-employee relationship, thus subjecting the medical practice to
potential employment tax liability.
The Internal Revenue Service has developed a list of twenty factors that are considered in determining whether an individual qualifies as an independent contractor or an employee. While none of the factors are alone determinative, a combination of factors may be sufficient to characterize the relationship as employer-employee as opposed to an independent contractor relationship.
Factors that tend to indicate the
existence of an independent contractor relationship include the following:
The absence of instructions from the medical practice regarding how and
when the physician is required to perform his or her duties.
The physician is responsible for hiring and paying his own employees.
The medical practice does not provide any training to the physician.
The arrangement between the physician and the medical practice is
non-exclusive (i.e., the physician may provide services to other medical
practices or health care providers).
The physician may not terminate its working relationship with the medical
practice without incurring contractual liability to the medical practice.
Factors that tend to indicate the existence of an employer-employee relationship
include the following:
The medical practice is responsible for hiring, supervising and paying
personnel (such as nurses and physician assistants) to help the physician
perform his or her work.
The physician is required to work full-time and exclusively for the
The medical practice sets the physician’s hours of work and exercises
direction or control over the physician’s work.
The physician is paid by the hour, week, or month (rather than a per-job
The physician is required to personally render the services (as opposed
to having an employee or contractor of the physician performing the services).
This factor may be less significant in the physician/medical practice context
because of the unique nature of the services provided.
6. There is a continuous working relationship between the physician and the medical practice.
The physician is required to submit reports to the medical practice.
The question of whether a physician qualifies as an independent contractor continues to be an area subject to IRS scrutiny. As such, medical practices and physicians should consider seeking the advice of legal counsel to review arrangements that propose to classify physicians as independent contractors.