Managing HIPAA's Pain

Halfway between the deadlines for HIPAA's privacy and security rules, health-care CISOs share compliance lessons for the rest of us.

It remains to be seen what kind of specifics the HHS Centers for Medicare and Medicaid Services, which is in charge of enforcing the security rule, will expect when it begins enforcement. But if it's anything like the privacy rule, compliance will be all over the board. While some organizations are not yet in compliance, others are taking HIPAA to ridiculous extremes. Just before Christmas, a hospital in Wisconsin announced that a 13-year-old leukemia survivor would no longer be allowed to make her annual toy delivery to young patients, on the grounds that patient privacy would be violated. And in New York state, one hospital recently decided that it would no longer send out birth announcements to local newspapers because of HIPAA concerns. (Other hospitals in the state still send the announcements but require a parent's signature.)

PWC's Smith, for her part, thinks legal departments are running scared. "A lot of them don't know what compliance is going to mean. They're worried about who might sue them," she says. "Some of my CSOs are saying, I've been doing this. It's the legal departments coming in, fearful, saying, Can we prove what we're doing? They're dotting their I's and crossing their T's."

But it's not the way the HIPAA privacy rule is being enforced that's prompting them to act. In 2003, in fact, HHS's Office of Civil Rightswhich is in charge of enforcing the privacy rulereceived only 3,745 complaints from patients. (HHS does not as a rule instigate investigations of violations; the process is primarily complaint-driven.) Of those, 40 percent had been resolved, and a small numberHHS spokesman Craig Palosky wouldn't say how manyhad been passed on to the Department of Justice for criminal investigation.

Congress established civil penalties of up to $100 per violation, up to $25,000 for violations of the same standard in a calendar year. (Criminal penalties, for violations such as selling PHI for commercial advantage, go up to $250,000. Violators could also face up to 10 years in prison.)

In theory, the civil fines are small in comparison with what organizations are spending on compliance. But in reality, they're nonexistent. In 2003, a grand total of zero dollars in fines had been levied against anyone for HIPAA violations.

But for Pacific Life's Krause, at least, that's beside the point. It's incentive enough that auditing and rating agencies are including security and privacy questions in their surveys. Besides, she says, none of these regulations are so onerous if you have good security processes in the first place.