HIPAA – Enforcement

June 2013

… According to statistics from the U.S. Department of Health and Human Services (HHS), of the complaints that have been received and resolved since the HIPAA (Privacy Rule) compliance date in April 2003, over sixty percent (60%) of the complaints have been closed because they were not eligible for enforcement. The Office for Civil Rights (OCR) within HHS receives and resolves complaints for violation of the HIPAA Privacy Rule. An example of a complaint not eligible for enforcement is a complaint alleging a violation by an entity not covered by HIPAA. Additionally, it is possible that the complaint would be closed because it was not filed in a timely manner (generally within 180 days of the alleged violation).

The compliance issue investigated the most was for impermissible uses and disclosures of protected health information. The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are private practices. Approximately twelve and one-half percent (12.5%) of complaints were investigated and resulted in a finding of no violation. Approximately twenty-six and one-half percent (26.5%) of the complaints were investigated and resolved by some kind of enforcement action, such as requiring changes in the privacy practices of the involved covered entities.

These statistics, along with other information I have read, indicate to me that fears of the OCR and HIPAA enforcement by “the feds” is somewhat overblown. Of course, many sole proprietors may not be a “covered entity” under the HIPAA regulations. If a complaint is filed with HHS against such persons, their response to an OCR inquiry would be that they are not a covered entity and therefore not bound by the “Privacy Rule.” The OCR will typically ask the subject of the complaint to submit information regarding whether or not certain information (insurance-related transactions) is transmitted electronically. Assuming that there is nothing suspicious about the explanation given to OCR, a statement indicating that there is no electronic transmission should suffice. OCR can, of course, inquire further.

Even in cases where the provider is a covered entity under HIPAA, the OCR generally seeks voluntary compliance and usually pays more interest to larger organizations with systemic problems and those who knowingly or intentionally violate the regulations. With respect to sole proprietors who are covered entities, the statistics seem to indicate that there is not much to worry about – unless, of course, the provider is involved in some kind of intentional or reckless behavior with respect to compromising the privacy of the patient or the provider has not voluntarily or adequately complied with the Privacy Rule’s requirements.

When OCR finds some kind of a defect in a provider’s privacy practices, they typically seek voluntary compliance. OCR is not likely to impose substantial fines unless there is a serious or substantial violation found. They will usually seek voluntary compliance, some form of corrective action, or other agreement. In more serious cases, however, they may file a formal finding of violation. The person complained against can request a hearing before an Administrative Law Judge with Health and Human Services to contest the finding.


Richard Leslie

"At the Intersection of Law and Psychotherapy" Richard S. Leslie is an attorney who has practiced at the intersection of law and psychotherapy for the past twenty-five years. Most recently, he was a consultant to the American Association for Marriage and Family Therapy (AAMFT), where he worked with their various state divisions to develop and implement their legislative agendas. He also provided telephone consultation services to AAMFT members regarding legal and ethical issues confronting practitioners of diverse licensure nationwide. Additionally, he wrote articles regarding legal and ethical issues for their Family Therapy Magazine and presented at workshops on a variety of legal issues. Prior to his work with AAMFT, Richard was Legal Counsel to the California Association of Marriage and Family Therapists (CAMFT) for approximately twenty-two years. He was director of Government Relations for CAMFT, and as such was the architect of CAMFT’s widely regarded and successful legislative agenda. He represented CAMFT before the regulatory board (the Board of Behavioral Sciences) and was a tireless advocate for due process and fairness for licensees and applicants. He was a regular presenter at workshops and was consistently evaluated as CAMFT’s most highly rated presenter. He also sat with the CAMFT Ethics Committee and acted as their advisor on matters pertaining to the enforcement of ethical standards. Richard is an acknowledged expert on matters pertaining to the interrelationship between law and the practice of marriage and family therapy and psychotherapy. For many years, he taught Law and Ethics courses for a number of colleges and universities in their marriage and family therapy degree programs. While at CAMFT, he provided telephone consultation services with thousands of therapists in California and elsewhere for over twenty years. He is highly regarded for his judgment, his expertise, his direct style, and his clarity. Richard has been the driving force for many of the changes and additions to the laws of the State of California that affect MFTs. In 1980, he was primarily responsible for achieving passage of the "Freedom of Choice Law" that required insurance companies to pay for psychotherapy services performed by MFTs. Passage of that law allowed MFTs to earn a living, allowed them to better compete in the marketplace, and strengthened the profession in California by leading to a great increase in the number of licensees and CAMFT membership. Currently, about half of the licensed marriage and family therapists in the country are licensed in California. While at CAMFT, Richard was primarily responsible for, among other things, the successful effort to criminalize sex between a patient and a therapist. He was successful in extending the laws of psychotherapist-patient privilege to MFTs, thereby giving patients the same level of privacy protection as when seeing a psychiatrist or psychologist. He fought tirelessly and successfully for the right of MFTs to refer to themselves as "psychotherapists," to perform psychological testing services, to be appropriately reimbursed by California’s Victims of Crime Program, and to be employed in county mental health agencies throughout California. Richard was admitted to the Bar in New York (1969) and in California (1973). While practicing in New York, he served as a public defender, and later, as an Assistant District Attorney. Shortly after moving to California, he worked for the San Diego County Human Relations Commission as their Law and Justice Officer. While there, he worked successfully to achieve greater racial diversity in the criminal jury selection system and to expose and stop police abuse. For such work with that agency, he was the recipient of the Civil Libertarian of the Year Award by the San Diego Chapter of the American Civil Liberties Union.

Have Questions? click here, We’re happy to help!