As voluminous as the HIPAA privacy rule is--368 pages of small type in the Federal Register, plus 92 more pages for the August 2002 modifications--some things still were left out.
For one thing, HHS does not define what constitutes a medical record anywhere in the HIPAA administrative simplification regulations.
Instead, individual organizations may determine their own core components of medical records. However, they must document the core record set and keep written and electronic copies of the documentation for six years, according to Richard Campanelli, director of the HHS Office of Civil Rights, which is responsible for enforcing civil provisions of the privacy rule.
Still, Campanelli says OCR will not review the documentation, even for enforcement purposes.
IPAs and clinically integrated care settings such as hospitals with medical staffs of independent physicians--called "organized healthcare arrangements" (OHCAs) under HIPAA--may decide whether to allow each entity within the loose affiliation to decide to have individual privacy notices and business associate agreements or if they should work together. Either way, each unit under the OHCA umbrella is separately subject to enforcement liability, Campanelli says.
Enforcement itself, HHS says, will be driven by complaints and not by random audits of privacy practices. And even though OCR has published a "sample" form for reporting perceived HIPAA privacy violations, the rule does not prescribe what a complaint should include.
"The sample complaint form on the OCR Web site is just that," says OCR official David Mayer. "It is not a mandate."
Likewise, HHS is somewhat ambiguous about the privacy notice that covered healthcare entities must present to patients, and practices have responded differently.
The notice from Carle Clinic Association, Urbana, Ill., which has about 300 physicians, comes in at about 11 pages. Meanwhile, Martin's Point Health Care, a 30-physician practice in South Portland, Maine, has a seven-page document.