About UsWhy Choose GCG?ServicesResourcesProfilesContact UsHome

HEALTHCARE LAW

HIPAA's Hidden Risk

November 15, 2001

By Christopher C. Gallagher*

It is difficult and dangerous, but try to take a sip of water from a fire hose operating at full throttle. An old cliché perhaps, but appropriate when one contemplates the "fire hose" of HIPAA information spraying everywhere these days. Seen by some as a way to keep their Y2K operations intact, by others as a way to create new markets for their products, and even by lawyers as an Employment Act, HIPAA information is available everywhere. There is almost too much. Most of it warns of the difficulties and dangers of compliance. To be sure, HIPAA is difficult, and can be dangerous, but not necessarily as described by HIPAA vendors selling services. Its danger lies in the risks hidden in HIPAA's customized compliance-risks not obvious during the early process of understanding its general requirements.

Dealing as it does with the collision of people's sensitivities about health information and the absolute need of providers and payers for unimpeded information flow to provide care effectively and process payment efficiently, HIPAA certainly presents a compliance challenge. But for the most part, HIPAA is crafted carefully. Its Transaction Codes are daunting to non-"techie" types, but in reality, the Transaction Codes will, one day, be fully implemented and seamlessly absorbed into the health care system. HIPAA's Privacy Rule is difficult and needs to be sharpened in certain areas, but by reading carefully, you can find answers to most of your privacy questions. Its security provisions, not yet released in final form, promise to be even more challenging, but they too have been thoroughly thought-out, and over time, as the "reculturization" of the health care community moves towards providing as much care for patient information as there is for the patient, early fears about security compliance will fade into operational routine. Dollars lost in the process may never be returned, but our healthcare system will be more effective and reliable.

However, the dangers of HIPAA and the overflow of general information about HIPAA are far subtler than their difficulties. First, HIPAA both identifies and defines a standard of conduct made applicable to covered entities. And while HHS will no doubt be "collaborative" in its early enforcement process, this standard is sure to be a tempting target for plaintiff's lawyers, whistleblowers and others who find comfort in the torment of providers. Because HIPAA establishes a recognized standard of care to which providers must comply, it will be easier to establish provider liability for breaches of that standard. Documentation is both required and necessary to protect you, but like standards, documentation can be a two-edged sword. It can be used to attack as well as protect.

Another danger ahead is HIPAA's so-called "scalability." Committed to "common sense" and "balance," HIPAA's crafters created a common set of standards to be applied to all. But they also recognized that covered entities are highly varied in size and capacity. By allowing scale economies and operational circumstances to play a role in compliance, HIPAA offers early comfort to those whose size and operating capacities make strict compliance difficult, but also make it less reliable. Accordingly, the HIPAA that applies to your firm-"your HIPAA"-isn't set forth anywhere. The HIPAA that applies to your organization is the HIPAA that applies in your state, to an operation that handles the information you handle, at your size, and according to what is reasonable for your organization. But this variability, so comforting now, may provide openings later for those more interested in your liability than your compliance efficiencies. Thus, rather than creating a covered entity safe harbor, by introducing a standard and then making it flexible, HIPAA has opened new doors to provider exploitation. And while it is clear that HIPAA privacy and security protections should not interfere with a patient's access to or quality of health care delivery, providers are still required to assume the risk that their levels of compliance with HIPAA can withstand the test of review by HHS and the courts. Your opponents can always assert that you could have, or should have, "done more."

In short, the existence of "common sense, scalable standards" introduces a level of variation which requires that organizations find the HIPAA compliance program that is right for them, not just to comply, but to withstand the attack of others. To be blunt, you are not required to comply with their HIPAA; you are required to comply with your HIPAA, and your level of compliance can define your level of liability.

A third area of danger is perhaps the most pernicious. Incorporating the doctrine of "federal floor," HIPAA, which sets out to create "administrative simplification" by establishing a uniform national standard, ironically ends up institutionalizing the confusing "patchwork" of state laws that led in part to its enactment. HIPAA's pronouncements of preemption, followed by its full deference to any provision of state "law" that is contrary and more stringent with respect to privacy and security, perpetuates the existing tangle of conflicting, inconsistent, and often incoherent state laws. It is already clear that "contrary" will be interpreted in a way that makes almost any state law applicable (provided that one can comply with both HIPAA and the state law). "More stringent" is defined in the privacy rule with what appears to be categories of analysis tied to the Fair Information Practices of: Notice, Choice, Access, Security and Enforcement. But until the courts have clarified the complex choice of law and preemption dynamics of HIPAA, compliance will continue to be a high-risk operation.

Worse, privacy "fundamentalists" see HIPAA's "federal floor" doctrine as an invitation to propose more laws that go beyond HIPAA's safeguards. Obviously the "balance" sought by HIPAA's crafters is tipped by such a process. If two laws-even "balanced" laws-are placed side by side, and a new law is constructed using only the more restrictive provisions of each, the "balance" is gone. And as if that imbalance itself isn't dangerous enough, the confusing "choice of law jungle" created by HIPAA's deference to state law has now made compliance even more difficult and dangerous. The HIPAA that applies to you is not what is printed in the Federal Register or outlined at a seminar. It is in fact what results when, following the processes of Part 160, Subpart B, you make difficult decisions about choices of law, inconsistent preemptions and conflicting case law. Indeed, because of this preemption process, HIPAA has not simplified much for those committed to compliance. When the "applicable" HIPAA is only what results after lengthy and expensive legal analysis about each "HIPAA" standard in each jurisdiction in which one operates, then HIPAA compliance has indeed become dangerous. (See Health Information Privacy: The Federal Floor's State Elevator)

So first you must weave into HIPAA the applicable provisions of state law, then weave the result into the fabric of your organization. Different firms will have different views. Working through all the variables to be applied to different organizations, business associate contracts, and other arrangements that require collaborative conduct will of course be even more complex than once assumed. Accordingly, while learning the general provisions of HIPAA is both necessary and helpful, it is only a beginning, because in effect you are only learning someone else's HIPAA. Your HIPAA is not limited to HIPAA's regulatory standards, nor is it necessarily what works for anyone else. It is a process to be applied by and through your management to your organization at suitable scale, pursuant to your notices and documentation, consistent with your firm operations and culture, and with the "HIPAA" applicable in your state.

The last danger is more seductive than the others. Compliance dates are far away, so why worry? But appropriate compliance with your HIPAA requires thorough assessment, careful planning and cautious ramp-up. Much of HIPAA compliance will require workforce changes in operation and authorities. A rush to finalize contracts with business associates may introduce areas of conflict that may affect established relationships and continued cooperation. Indeed, the HIPAA information glut itself can lead to overconfidence about compliance. Remember that the soldiers on the front lines of your HIPAA compliance program who interact with today's privacy-sensitized "customer" are not the same professionals who deliver medical services. They are the administrators, clerks, and information collectors who staff your business operations. They are the ones who must comprehend and carry out your HIPAA, in circumstances that can change with every patient encounter. To be sure, appropriate levels of competency can be achieved, but not in one or two days.

Thus, it is important to keep in mind that HIPAA may appear as what is contained in all that general information spraying everywhere. But your HIPAA exists only where, how, and at the level of compliance that is appropriate for you. HIPAA's "variables," designed to accommodate compliance mean that your HIPAA must be defined in a dynamic process that involves you and your organization. That process will take time, attention, commitment and accommodation. It will require close coordination with your H.R. and I.T. programs, your operating documentation, collaboration protocols, and your service delivery procedures. But HIPAA compliance cannot be accomplished overnight, and remember, those who can help you cannot be available to everyone the final month before mandatory compliance.

So the next time you are confronted by the plethora of information about HIPAA as enacted by HHS, read it, learn from it, but remember that the HIPAA you see is their HIPAA, not your HIPAA. Your HIPAA is what is appropriate for your organization, under the combined HIPAA/state laws in which you operate and under the notices, agreements and operating protocols you have accepted and published applicable to you and your organization. Remember also that even if you plan and successfully implement a HIPAA program scaled to your size, information needs and state law, some future court may see it differently. Thus, HIPAA's legal risk lives on despite compliance that satisfies HHS. Your compliance with your HIPAA also may be tested by one who stands to gain by establishing your noncompliance with a national "standard;" and until that process of judicial interpretation and application has unfolded (one would hope with someone else's HIPAA), your HIPAA is for you to find, to implement and to ultimately defend.

*Christopher C. Gallagher is admitted in New Hampshire.

 

Return to top of page

Return to HOT TOPIC: HIPAA
Return to Healthcare Law Articles
Return to Firm Publications

 

 

 

 

 

 

 

See also:

HOT TOPIC:
HIPAA

 

 

 

 

 

You may contact Chris Gallagher at 800-528-1181.
About Us - Why Choose GCG? - Services - Resources - Professional Profiles - Contact Us - Home