WHAT TO EXPECT IN THE EVENT OF A
HIPAA PRIVACY RULE VIOLATION
1. The Responsible Enforcement Agency.
The United States Department of Health and Human Services, Office for Civil Rights, is responsible for enforcing the privacy rule in the event of an alleged violation of HIPAA’s national standards by a “covered entity,” including a medical office. As such, the Office for Civil Rights may conduct investigations of any registered complaints and/or initiate a “compliance review”.
HIPAA privacy rule violations occurring in
2. Initiation of a HIPAA Investigation
At this time, investigations usually are triggered by the receipt of a complaint by the Office for Civil Rights (OCR) alleging that your medical office is not in compliance with the federal standards for privacy of individually identifiable health information. The OCR Investigator is likely to make initial contract by telephone. The patient has the option to remain anonymous. Complaints can be filed either on paper or electronically and must be filed within 180 days of the alleged act of noncompliance. This 180 day period may be extended for “good cause,” a term undefined by OCR. OCR recommends using their complaint form. All complaints are given a transaction number.
3. The Facts
We have found that the Investigator initially will not make available to you specific facts regarding the alleged violation but will only hint of the problem (ex. in the delivery of medical records, copies of a second patient’s records were attached). The absence of specific dates and patient names makes it difficult for the medical practice to effectively conduct its own investigation on the source of the problem and take prompt corrective action. OCR justifies its odd position by citing the absence of any HIPAA authorization or release from the affected patients. However, if you call the Investigator, the specific facts should be discussed with you.
4. OCR Expectations
The OCR Investigator expects that the medical practice will cooperate in the investigation and, where required, allow access to its facilities and records. Cooperation is recommended if the medical practice wishes to attempt to informally resolve the investigation. Involvement of legal counsel may be recommended at this stage, particularly if disclosure of facts relating to the alleged HIPAA violation is limited. OCR will request documentation from your office showing your compliance with HIPAA. A covered entity will be required to submit its Privacy Notice, at a minimum, and any documents related to the alleged HIPAA violation. For example, if there was an unauthorized disclosure of Protected Health Information (PHI) as a result of a request for medical records, the covered entity will be asked to provide its Privacy Notice, its procedures for filling requests for records and safeguards implemented to protect PHI.
5. Your Choice
Your medical office may respond to any allegation of a HIPAA violation, submit evidence that the event did not take place as described, dispute the existence of a violation, contest the applicability of HIPAA, describe proposed corrective actions, or indicate that prompt and effective action has already been taken to correct the noncompliance. A successful resolution of the matter at this early stage will avoid formal enforcement action and the possible imposition of civil money penalties.
In addition, if OCR determines that the violation was willful, the case can be referred to the Department of Justice (DOJ) for a criminal investigation. This can result in a fine and/or imprisonment. However, OCR does not have a procedure in place at this time for the referral of cases to the DOJ.
EMPLOYEE OR INDEPENDENT CONTRACTOR?
Some medical practices choose to retain physicians as independent contractors rather than employees. The decision to retain a physician as an independent contractor poses some risks, including the risk that the Internal Revenue Service will re-characterize the arrangement as an employer-employee relationship, thus subjecting the medical practice to potential employment tax liability.
The Internal Revenue Service has developed a list of twenty factors that are considered in determining whether an individual qualifies as an independent contractor or an employee. While none of the factors are alone determinative, a combination of factors may be sufficient to characterize the relationship as employer-employee as opposed to an independent contractor relationship.
Independent Contractor Factors
Factors that tend to indicate the existence of an independent contractor relationship include the following:
1. The absence of instructions from the medical practice regarding how and when the physician is required to perform his or her duties.
2. The physician is responsible for hiring and paying his own employees.
3. The medical practice does not provide any training to the physician.
4. The arrangement between the physician and the medical practice is non-exclusive (i.e., the physician may provide services to other medical practices or health care providers).
5. The physician may not terminate its working relationship with the medical practice without incurring contractual liability to the medical practice.
Factors that tend to indicate the existence of an employer-employee relationship include the following:
1. The medical practice is responsible for hiring, supervising and paying personnel (such as nurses and physician assistants) to help the physician perform his or her work.
2. The physician is required to work full-time and exclusively for the medical practice.
3. The medical practice sets the physician’s hours of work and exercises direction or control over the physician’s work.
4. The physician is paid by the hour, week, or month (rather than a per-job payment).
5. The physician is required to personally render the services (as opposed to having an employee or contractor of the physician performing the services). This factor may be less significant in the physician/medical practice context because of the unique nature of the services provided.
6. There is a continuous working relationship between the physician and the medical practice.
7. The physician is required to submit reports to the medical practice.
The question of whether a physician qualifies as an independent contractor continues to be an area subject to IRS scrutiny. As such, medical practices and physicians should consider seeking the advice of legal counsel to review arrangements that propose to classify physicians as independent contractors.