Comment on FR Doc # E9-26203

November 17, 2009 Office of the Secretary RE: HIPAA Administrative Simplification: Enforcement, Rule IFR (RIN 0991-A55) I am writing to you in regards to the proposed changes in the HIPAA/HITECH penalty structure. If I correctly understand the new penalty structure that HHS is proposing and planning to implement by November 30, 2009, then HHS is sending a very clear message to all providers. 1. No matter what precautions the providers takes, 2. No matter that the patient’s life, health and well-being was determined to be more crucial than HIPAA at a specific moment in time, 3. No matter that the provider could not have possibly known there was a HIPAA violation, 4. No matter that a violation was identified and quickly corrected to prevent future problems, 5. No matter the training or the money spent for that training or for hard costs associated with protecting patient privacy, 6. No matter what a provider does… …..if HHS so desires, then the maximum penalty of $1.5 million dollars can be imposed upon a provider. A penalty that large would essentially bankrupt most 1-4 practitioner practices in this country. Or, at a minimum, GREATLY impact the medical care provided to all patients, regardless of payer. I cannot imagine that that is what HHS is truly trying to accomplish. With the maximum penalty as high as $1.5 million dollars, it makes me wonder who HHS is really going after. If it is the larger practices and hospitals, then yes they would be better able to handle such a large fine. However, $1.5 million would still significantly impact the ability to provide medical care. There would be fewer nurses, fewer doctors, fewer radiology techs, fewer cleaning people, fewer aides etc. If HHS is after the smaller practices, it will be very easy for those smaller practices to look at the proposed penalty structure and determine that no matter what they do to maintain HIPAA compliance, that HHS will come in and slap them with a $1.5 million penalty. What would be the point of spending precious time and money on something like HIPAA compliance when a practice won’t even get consideration for all the correct things they have done? I greatly fear that the proposed penalty structure is so outrageously unrealistic, that smaller practices (maybe bigger ones too) will not take HIPAA seriously any longer, and just take their chances. I am also concerned that HHS would impose a penalty on a practice, or any other medical facility or provider, if circumstances made it unreasonable for a provider to comply with HIPAA. I can think of several circumstances where a patient’s well-being should come first, always. Look at the injuries during the recent tornadoes, earthquakes, hurricanes, mass shootings, bus accidents, ferry accidents, and this list goes on and on. People that work in the medical field have a primary purpose of saving limbs, saving eyes, protecting a patient’s quality of life, saving our parents and saving our children. For a provider at any level ( M.D., PA-C, NP, Nurse, paramedic, aide, etc) to worry first about whether or not their actions would cause a HIPAA violation, and subsequent $1.5 million penalty by HHS that is so overwhelmingly huge as to affect the provider’s ability to even continue working, is backwards. With a penalty structure like the one proposed, in an emergency situation a provider will be forced to choose between their ethical commitment of preserving and saving human life, and the unrealistic expectations of HHS. I am not sure why HHS feels that medical providers are not taking HIPAA seriously. Our practice is in a small community (less than 80,000) and every other practice, hospital, lab or community clinic we work with takes HIPAA very seriously, and is constantly reworking policies and protocols to better maintain compliance, just as we are. As a patient, and we are all one somewhere, I am acutely aware of how other providers handle my protected health information and I am impressed. I cannot believe that our community is leaps and bounds ahead of other parts of the country in our efforts to be HIPAA compliant. Perhaps HHS is fixing something that does not need fixed? Just a final thought. If the government really wishes providers at all levels to keep costs down, then the government should not force providers to take out expensive insurance policies to cover penalties, such as a $1.5 million dollar HIPAA/HITECH fine. Just as the government has to pass the cost of doing business down to the taxpayers, so too must providers pass the cost of providing medical care (doing business) down to their patients. It will be a terrible mistake to over penalize, or say you are going to over-penalize, our medical providers in the hopes that it will ensure better HIPAA compliance. Sincerely, Laura Ackerman HIPAA Compliance Officer Eye Care Specialists Clarkston, WA