HHS Secretary Mike Leavitt has formally announced he has delegated subpoena powers to the director of the Office for Civil Rights at HHS and the authority for the director to re-delegate subpoena power for the investigation of potential violations of the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 and the Patient Safety Quality Improvement Act.
HIPAA provides authority for the imposition of civil and criminal penalties for violations. The OCR has been designated as the lead agency at HHS for receiving healthcare information privacy complaints and privacy rule enforcement. According to HHS, the law "authorizes the issuance of subpoenas requiring the attendance and testimony of witnesses and the production of any evidence that relates to any matter under investigation by the secretary and the enforcement of such a subpoena in court in event of refusal to comply."
Leavitt's announcement was published in the Federal Register April 16.
In a separate announcement, Leavitt also granted subpoena power to the CMS to enforce other areas of HIPAA, including rules governing "transaction and code sets."
"There is no particular significance to the timing," said Susan McAndrew, deputy director for health information privacy at the OCR. The office already has had the ability to obtain subpoenas by going through the HHS secretary, so the recent delegation of authority would simply streamline the process, she said.
"There is an argument that our general delegation of authority would cover subpoenas," McAndrew said. "However, in subsequent conversations with our general counsel's office it was (the) recommendation that typically where subpoena authority is delegated, it is specifically done. Since it wasn't delegated in the original authority back in 2002, we did it now."
McAndrew said it would be wrong to read into the announcement that HHS intends to ratchet up enforcement by issuing subpoenas. Thus far, the OCR has not needed to compel cooperation via subpoena, she said.
Through the end of March, the office has received 26,396 complaints about possible privacy violations, McAndrew said. It has investigated and closed 6,602 cases and another 6,000 cases remain open, and most will be investigated, she said. "The outcome of those is still unknown."
"We have obtained corrective action in over 4,500 of those investigated cases" in which changes in practices were required that "vindicated individual rights," McAndrew said. None, however, has resulted in a civil monetary penalty or fine being levied against the violator.
"I think that in general, we have been successful to date in being able to resolve these cases and obtaining the appropriate corrective action with the good cooperation of the covered entities," McAndrew said. And while OCR has not had occasion to use a subpoena so far, "The day may come when that is necessary, so it was good to get the delegation done to make the process more efficient."
In addition, 386 cases have been referred to the Justice Department for further investigation into possible criminal privacy violations, which also are provided for under HIPAA for the worst offenderstypically those who use or sell protected healthcare information for profit. At last count, the Justice Department has prosecuted three cases of criminal HIPAA violations.
The OCR long has been criticized by privacy advocates for laxity in enforcing HIPAA privacy standards. Peter Swire, a professor at the Moritz College of Law at Ohio State University who served as President Clinton's chief counselor for privacy, said in a 2005 interview that the Bush administration "has not supported HIPAA enforcement."
According to Deborah Peel, an Austin, Texas, psychiatrist and the founder of the not-for-profit Patient Privacy Rights Foundation, the weakness in privacy protection is because of the administrations policies and revisions made to the privacy rule during the tenure of Tommy Thompson as HHS secretary.
"Although the government has been extremely lax in going after privacy violators to date, the majority of medical privacy violations reported to OCR have not violated the HIPAA privacy rule, because HIPAA has almost no privacy rights to enforce," Peel said in an e-mail statement. "In 2002, the HIPAA privacy rule eliminated the right of consent and legalized access to every American's medical records by 600,000 to 800,000 health-related businesses and government agencies, without consent, without notice and even over consumers' objections."What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.