HIPAA for the Wound Care Team: Penalties, Enforcement, and Plans for Compliance

    Failure to comply with HIPAA can have severe consequences for all members of the wound care team. Violations may result in civil penalties of $100 per incident, up to $25,000 per person per standard per year. Criminal penalties of up to $50,000 and 1 year in prison may be imposed for knowingly obtaining or disclosing protected health information in violation of the rule; penalties of up to $100,000 and 5 years in prison may be imposed for obtaining protected information under false pretenses; and up to $250,000 and 10 years in prison may be imposed for obtaining or disclosing information in violation of the rule with the intent to transfer or use the information for commercial or personal advantage or malicious harm.

    As of August 2003, approximately 600 complaints about HIPAA breaches were noted by the Department of Health and Human Services (HHS) in which 1) patients did not get proper notice, 2) records were improperly accessed, 3) the structural organization of records was faulty/incorrect, and/or 4) whistleblowing by employees occurred.1 No financial penalties have yet been assessed but this could change. HIPAA requires physicians to train their staff on the policies and procedures with respect to health information as necessary for those persons to carry out their assigned tasks. In other words, it is the physician's responsibility to train staff train, but this can be accomplished in any manner deemed appropriate. This task should have been completed by April 14, 2004. Also, staff training on HIPAA should be documented.

    Training can take a variety of forms. For larger organizations, formal 1- to 3-hour classes with written materials seem optimal so that training is standardized. Because the wound care team most likely is not in one location (ie, clinicians work in the hospital, wound care clinic, physical therapy clinic, and in home care), formal training that brings together all care givers from different settings so they are all on the same page makes sense. The training probably should be followed by a short quiz and signed acknowledgment of training so that documentation of training is optimized. Business associates do not require training.

    The 600 complaints that have been filed with HHS as of last August center on matters that must be covered with training. Patients must get notice of HIPAA. Although wound care usually involves multiple clinicians seeing the patient in multiple settings, this notice must be given only once by an organization and subsequently only confirmed, if needed, that the notice was provided previously. This confirmation does not have to be in writing but might be noted in a progress note.

    Often, wound care involves the patients and their records moving between various modalities, such as whirlpool therapy or physical therapy. Patients' medical records should not be left out in the open, especially when care is given in an open space that accommodates many patients receiving care at the same time. Records from wound care givers must be kept secure. Leaving them in stacks in open areas or open in easily accessible bags of home care providers are practices that HIPPA meant to curb and should be avoided.

    Whistleblowers have reported HIPAA violations. They do not receive any compensation, so motivation might range from disgruntled employees to people with genuine concerns, none of whom can expect a cash payment for their efforts. The best way to avoid liability and thwart whistleblowers is to comply with HIPAA's dictates. Because HIPAA is a work in progress, one way to mitigate liability is to have a plan for compliance. Plans for compliance in the absence of full compliance will mitigate any actions HHS might take to enforce HIPPA - that is, if a facility has many employees or high employee turnover, a time for HIPAA training for new employees should be scheduled close to, if not before, the start date of all employees. If current record keeping facilities are located in an open area (eg, a whirlpool room with no secure place for files), an appropriate repository should be built/purchased).

    To conclude, penalties for failure to comply with HIPAA exist, but thus far have not been meted out by HHS. Although complying with all of HIPAA strictures is best, having a plan for compliance is good evidence of willingness to comply, which will mitigate any enforcement action that HHS might take. Good faith efforts and animating actions that embrace the privacy spirit of HIPAA is helpful in this regard.