Articles July 31, 2014

Media Focus On Lax HIPAA Law Implementation May Foster New Enforcement Activity

By Stuart E. Hoffman, DC, FICA, ChiroSecure President
Recent media reports on Health Insurance Portability and Accountability Act of 1996 (HIPAA) enforcement activities have generated a nationwide wave of criticism and calls from consumer groups and some Members of Congress for greater implementation efforts. The US Department of Health and Human Services (HHS) has reported that since the HIPPA law came into effect, 19,420 complaints have been filed, but only two criminal prosecutions have been recorded and the overwhelming majority of grievances have been dismissed. Media reports have also focused criticism on the fact that not a single dollar in HIPAA fines has been collected from violators.

HHS acknowledges that the agency has “closed” more than 73 percent of HIPAA cases, finding in more than 14,000 cases that there was no actual HIPAA violation or, determining that action on the part of the doctor, health plan, hospital or other covered entity to fix or promise to fix the problem, was sufficient to drop the matter, thus avoiding any risk of penalty. The law gave HHS the authority to impose fines of $100 for each civil violation, up to a maximum of $25,000. HHS can also refer possible criminal violations to the Justice Department, which could seek penalties of up to $250,000 in fines and 10 years in jail.

Despite initial concerns on the part of health care providers and institutions that the HIPAA law would unleash a massive new storm of complaints and prosecutions, the go-slow policy of the government has surprised and pleased most entities in health care. According to Winston Wilkinson, head of HHS’s Office of Civil Rights “Our first approach to dealing with any complaint is to work for voluntary compliance. So far, it’s worked out pretty well.”

This minimum implementation period is likely about to come to an end, however, especially in light of the recent highly publicized security breach in the records system of the US Department of Veterans Affairs. In May, 2006 an employee of the Veterans Administration took home a laptop with electronic data containing the names, Social Security numbers and dates of birth dates of 26.5 million veterans and some spouses. This security breach was so egregious that top federal officials have cautioned all US military veterans to be extra vigilant in watching their credit card and bank accounts, and in guarding against identity theft.

The precarious security of health information of private citizens has received so much media attention because of the HIPAA enforcement report and the VA security breach that more aggressive privacy enforcement and more stringent penalties are inevitable, especially as Members of Congress add their voices to the calls for more aggressive action.

The message for doctors of chiropractic and associated professionals and staff is CAUTION, NOW MORE THAN EVER, as pressure to launch an aggressive new wave of enforcement efforts is inevitable, and also because public awareness of HIPAA protections has significantly increased due to the recent media coverage. The final deadline for small plans to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security standards was April 2, 2006. A small health plan is defined as a plan with annual receipts of $5 million or less, and incorporates the vast majority of chiropractic practices. All chiropractic practices must have a HIPAA compliance plan in place and be prepared to address and defend practice operations in the case of a complaint.

The HIPAA Privacy Rule established national standards to protect individuals’ medical records and other personal health information and to give patients more control over their health information. HIPAA sets limits on the use and release of health records and establishes safeguards that providers and health plans must implement to protect the privacy of health information. The HIPAA Privacy Rule provides that, in general, a covered entity may not use or disclose an individual’s healthcare information without permission except for treatment, payment, or healthcare operations.

Now is a very appropriate time to conduct a refresher course in HIPAA compliance and to remind all staff and associated professionals of the need to take HIPAA issues seriously. For more information on HIPAA, see the official HHS website at:

It is also important to review your personal malpractice coverage to determine if your professional liability insurance includes HIPAA complaint coverage. Unlike most chiropractic professional liability programs, ChiroSecure offers sound HIPAA coverage as a standard element in its chiropractic professional liability policies, thus providing an additional peace of mind to those with ChiroSecure coverage.

Stuart E. Hoffman, DC, FICA, is the president of ChiroSecure, the only malpractice insurance program endorsed and approved by the International Chiropractors Association. Dr. Hoffman is a highly experienced doctor of chiropractic and licensed insurance broker who knows the intricate details of daily practice and who can give you the best advice based on his unique knowledge of both the insurance world and the world of chiropractic. To find out how you can get liability protection at the best rates call Dr. Hoffman at 1-866-802-4476 or visit