The recently proposed HITECH Act changes to HIPAA go into extensive detail on the categories of culpability. Setting aside some of the other interesting aspects of these modifications, and the other highlights of the rules, one example relating to the "willful neglect" standard struck me as new and unusual.
In describing a situation which may arise to the level of willful neglect, HHS provides an example of a covered entity that failed to respond to an individual's request that it restrict its uses and disclosures of protected health information. HHS's investigation reveals that the covered entity has no policies and procedures to consider the request for a restriction and it "refuses to accept any requests for restrictions from individual patients who inquire." It is the quoted language which seems so odd to me. Under HIPAA's Privacy Rule, a covered entity is not obligated to accept any request for a restriction on uses or disclosures. (45 C.F.R. section 164.522(a)(1)(i)). In the past, many have counseled that covered entities should never agree to such a restriction because it goes beyond what HIPAA mandates and it may subject the covered entity to a multitude of record-keeping and other logistical difficulties. In other words, the patient had the right to request, but did not have the right to receive, such a restriction on the PHI. In addition, the Privacy Rule only requires documentation if the covered entity agrees to the restriction and the implementation specifications (i.e. policies and procedures) only relate to agreement to the restriction.
However, the preamble to the proposed Rule states that "In the second example, the covered entity's refusal to accept any requests for restrictions from individual patients who inquire would be grounds for a separate finding of a violation due to willful neglect." I fail to see how refusing to accept any requests would amount to any violation, let alone willful neglect. Perhaps HHS is using the term "accept" to mean simply that the individual has a right to submit the request and that submission must be accepted (or, that the patient has inquired about the right to request and that inquiry was not accepted), rather than using "accept" to mean agreement. In either case, it is a very strong and straightforward statement that is not completely supported by existing law.
